Unfortunately, with
Web 2.0 applications, the line of what functionality gets exposed to users has often shifted.
This is partially the case with Xajax applications, although less so than other AJAX frameworks.
While all the methods of the application have to be manually added by default,
Xajax provides developers with an easy way to register all methods in the application.
With Xajax applications, if developers have class definitions with a large number of
methods, they can use code provided on the Xajax site (http://wiki.xajaxproject.org/
Xajax_0.2:_Tips_and_Tricks:_Auto_Register_Methods) to register all the methods of the
provided class automatically. While this is a smaller attack surface than other frameworks
because of the additional steps a developer needs to take to expose all methods, it should
not be overlooked. As with any other framework, because Xajax provides developers
with easy ways to expose all methods in their application, developers need to ensure that
they do not accidentally expose any sensitive methods. On the attacking side, attackers
will need to obtain a full list of methods exposed by the application and then comb
through this list to attempt to find any unintentionally exposed sensitive methods.
Pages:
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334