Skip to main content
June 29, 2008

DWR 2.0.5 Fixes XSS Vulnerability

DWR 2.0.5 addresses an XSS vulnerability that is likely to be exploitable in most 2.0.4 installations. If your web application uses DWR's Ajax implementation, download and install this update now!

As an aside, I've been a fan of DWR for a while now, not only because of its ease of integration but also because it was the first Ajax framework to offer built-in CSRF protection. You could tell that Joe Walker was taking security seriously. For this particular vulnerability, I e-mailed him on a Saturday night, and within 12 hours, he had confirmed the problem, patched the code, and built a 2.0.5 release candidate. Granted, it was a tiny code change, but I've still never seen a response that fast. Less than a week later, the official 2.0.5 release was tested and available for download.

That's it for now, but I'll be referencing this example again when I get around to writing Part 2 of my Minimizing the Attack Surface post.

FREE Security Tutorials from Veracode

Cyber Security ThreatsMobile Phone SecurityFlash Player SecuritySQL Injection AttackCRLF Injection

Veracode Security Solutions

Software Security TestingBinary Code AnalysisApplication Testing

Veracode Data Security Resources

Data BreachesData Loss PreventionData Security

Related Content

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.