SEARCH RESULTS
 
Showing 1-3 of 3 records
1
 
Expand article

DWR 2.0.5 Fixes XSS Vulnerability

2008-06-30 03:04:21 by Chris Eng in Zero in a bit
 
DWR 2.0.5 addresses an XSS vulnerability that is likely to be exploitable in most 2.0.4 installations. If your web application uses DWRs Ajax implementation, download and install this update now As an aside, Ive been a fan of DWR for a while now, not only because of its ease of integration but also because it was the first Ajax framework to...
 
Tags: vulnerability, xss vulnerability, code, dwr, tiny code change, attack surface post, dwrs ajax implementation, ajax framework, saturday night
 
 
 
 
Expand article

Minimizing the Attack Surface, Part 2

2008-07-07 21:10:25 by Chris Eng in Zero in a bit
 
...DWR 2.0.5 from the other day. DWR is an Ajax framework that has a variety of operating modes. In-house, we use a subset of DWRs full functionality specifically, we interact with it using the plaincall method only, so we made sure that the features we didnt need were disabled via the configuration file. As it turned out, there were vulnerable...
 
Tags: dwr-invoker dwr, dwr-invoker, dwr library, dwr, library, security, dwr dispatcher, security posture, point-in-time application profile
 
 
 
 
Expand article

Minimizing the Attack Surface, Part 1

2008-06-24 19:09:34 by Chris Eng in Zero in a bit
 
...DWR, GWT, Axis, and Dojo, plus about 30 other libraries to do everything from logging to parsing to image manipulation. Nine out of ten times, the libraries will be installed in full, using the default configuration from page one of the README file Why is this relevant? Because just as those old Unix boxes exposed unnecessary services,...
 
Tags: attack surface, custom web applications, web, services, prevent unnecessary services, unnecessary services, security, third-party libraries, fix security holes
 
 
 
 
 
Showing 1-3 of 3 records
1
 
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia