Recently, the Imperva Application Defense Center announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service attacks and break into back-end servers and databases.

To discuss this vulnerability and its implications we talked with Amichai Shulman, the co-founder and CTO of Imperva, where he heads the ADC. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft.

In your opinion, what is going to be the impact of this vulnerability?

This is very alarming for any application using DWR. It requires application programmers to take immediate actions as a workaround. I think DWR writers will have to issue a patched version soon.


Are you expecting more such vulnerabilities in the near future?

I certainly do. Most people think of AJAX vulnerabilities in terms of a client side problem. However, in reality AJAX is vulnerable to server side vulnerabilities as well. This is 100% true for AJAX frameworks that comprise a server side component (DWR, GWT, Amazon). This type of vulnerability is also very likely to affect applications that use client only frameworks because programmers tend to shift the application logic from the server to the client, and they sometimes shift security logic together with it. The result is that the server is left vulnerable to direct attacks that bypass the "legitimate" client side code.

What do you think about the full disclosure of vulnerabilities?

The guiding principle of the Imperva Application Defense Center (ADC) is to protect customers. As a result, we follow the vulnerability disclosure protocol of each platform we research. For example, when working with commercial software platforms like Oracle, IBM DB2, Sybase, and Microsoft SQL Server, the ADC submits vulnerability discoveries to the appropriate vendor so they can issue a patch or fix in a timely fashion. Once a patch has been released, the ADC publishes a free technical advisory that explains the vulnerability and how to mitigate it. To protect our customers until a patch is released, Imperva automatically updates our SecureSphere Database security appliances and web application firewalls with the means to identify and mitigate the attack.