Although, by default, DWR doesn??™t expose all
classes in a web application, once a class has been marked to be exposed it will expose all
methods in this class. If a class contains methods that should not be exposed to users,
developers will need to use the include and exclude elements to perform finer grained
access control. Fortunately for developers, testing for this exposure is far easier for them
180 Hacking Exposed Web 2.0
than for attackers. For the developers, before each class is exposed, the included methods
should be quickly reviewed to ensure that only approved methods are being exposed.
On the attacking side, attackers will need to obtain a full list of methods exposed by the
application and then comb through this list to attempt to find any unintentionally
exposed sensitive methods. The process of obtaining methods exposed by the application
is covered in Chapter 6 as well as in the following attack exposure.
Debug Mode
Popularity: 2
Simplicity: 6
Impact: 3
Risk Rating: 4
A common exposure that can affect DWR web applications is leaving debug mode
enabled. Once testing is complete, developers may often leave debug mode enabled,
which can allow attackers to obtain information about the web application.
Pages:
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325