This is accomplished by using the following settings in the
dwr-servlet
section of the WEB-INF/web.xml configuration file:
debug
false
Alternatively, you can simply remove the debug section entirely from the WEB.xml
configuration file.
Chapter 7: AJAX Framework Exposures 181
Regarding exposure to CSRF and JavaScript hijacking attacks, DWR is unique among
AJAX frameworks. The 1.x branch of DWR is similar to other AJAX frameworks in that
it includes no protections against CSRF and JavaScript hijacking attacks. However, the
2.x branch of DWR does include protections against CSRF and JavaScript hijacking by
using the JSESSIONID cookie value. Instead of simply verifying the JSESSIONID
cookie value in the header, DWR 2.x also appends the cookie value in the body of a HTTP
POST request. If this cookie value is not present in the body of the POST request, then the
request is rejected. This and other CSRF topics are discussed in Chapter 4.
These anti-CSRF protections are enabled out of the box on all DWR 2.x applications.
However, DWR offers a way for developers to disable these protections if they are interfering
with their web application.
Pages:
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327