DWR 2.0.5 addresses an XSS vulnerability that is likely to be exploitable in most 2.0.4 installations. If your web application uses DWR's Ajax implementation, download and install this update now!

As an aside, I've been a fan of DWR for a while now, not only because of its ease of integration but also because it was the first Ajax framework to offer built-in CSRF protection. You could tell that Joe Walker was taking security seriously. For this particular vulnerability, I e-mailed him on a Saturday night, and within 12 hours, he had confirmed the problem, patched the code, and built a 2.0.5 release candidate. Granted, it was a tiny code change, but I've still never seen a response that fast. Less than a week later, the official 2.0.5 release was tested and available for download.

That's it for now, but I'll be referencing this example again when I get around to writing Part 2 of my Minimizing the Attack Surface post.

FREE Security Tutorials from Veracode

Cyber Security Threats
Mobile Phone Security
Flash Player Security
SQL Injection Attack
CRLF Injection

Veracode Security Solutions

Software Security Testing
Binary Code Analysis
Application Testing

Veracode Data Security Resources

Data Breaches
Data Loss Prevention
Data Security

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (1)

Liav | January 3, 2011 10:30 am


According to your findings i justed upgraded my jar from DWR2.0.1 to 2.0.5 but still my we application isn't checked for XSS attacks.

E.G: When i insert user name such as test i get a normal flow as if the DWR handling hasn't checked the input for scripting tags at all.

Am i required to configure anything? Maybe to add an HTTP wrapper filter (as i saw implemented in several sites) ?

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.