Security Advisory: Web 2.0, AJAX and Client Security Logic

Web 2.0 development frameworks such as AJAX are placing increasing emphasis on client-side browser code (JavaScript, etc.) as a mechanism for improving user experience. In some cases, this emphasis on client code has extended to include security logic. Unfortunately, client-side security is subject to evasion by attackers who manipulate client communications using commonly available tools. The Imperva Application Defense Center has identified a significant vulnerability in the security logic of a well known open source AJAX library called DWR that illustrates this point. (see: Hacking AJAX DWR Applications) An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service. This security advisory discusses the vulnerability and available workarounds.

AJAX DWR Forceful Method Invocation Vulnerability

The Imperva Application Defense center has identified a significant vulnerability in DWR – a well known open source AJAX library that is incorporated into existing public Web sites. AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service.

Example – Java Clone and Denial of Service

An example of a sensitive Java function that may be accessed by an exploit of the AJAX DWR Restricted Method Vulnerability is “Java clone”. Although access to Java clone is generally undesirable, the DWR Forceful Method Invocation vulnerability can be exploited to construct requests that repeatedly invoke this function. Since server memory space is allocated for each Java clone invocation, a steep increase in server resource usage and denial of service conditions follow. The Imperva Application Defense Center has implemented tests confirming this result. Forceful access to other sensitive Web site functions can lead to alternative outcomes such as data theft.

Risk Mitigation

Mitigating AJAX DWR Forceful Method Invocation risk requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client. The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications.

Lesson Learned – Put Security on the Server

Client-side browser code is increasingly being applied by software developers as a mechanism for improving Web user experience. In some cases, this emphasis on client-side code has extended to include security logic. However, implementation of client-side security logic is subject to circumvention by attackers who manipulate client communications using commonly available tools. AJAX DWR Forceful Method Invocation illustrates this point. Whenever possible, Web application security logic should be implemented in server code. Server logic is less accessible to attackers and therefore less vulnerable.

Disclaimer

The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.