DWR looks scary
Yesterday, I got an invitation to a new site that is currently in beta and I started playing around with it, viewing source and looking at their javascript as I would normally do on any site, when I suddenly, completely by accident, discovered a DWR test page. With DWR being an Ajax interface to Java, the test page was an auto-generated list of available method calls on the web API. Not only that, but it let me call any of these methods with whatever parameters I wanted.
With the site more or less completely built up via this method, there were 139 methods available to play with, including scary looking combinations like listUsers() and deleteUser()… Now, it’s obviously up to the site’s developers to use some common sense when deciding what methods to make available to javascript calls and to remove or protect this test page so that it can’t be accessed externally, but it looks to me like DWR has certainly made it easier for them to shoot themselves in the foot. I absolutely love this bit on the DWR security page: it would be silly to worry too much about DWR when the rest of your web-app could be open
Oh, and for your information, it was difficult but I resisted the temptation. I reported it to the developers without having made a single API call, and they closed the page up within a few minutes. I still think it seems very dangerous to make methods like deleteUser accessible via javascript, though.
I don’t think it’s fair to blame DWR because it contains a useful debugging function, which someone forgot to turn off when in beta.
The point I was trying to make in the security page is that can look at a traditional webapp as a set of function calls (URLs) with parameters. When viewed like this it is very similar to DWR. You’re mocking DWR because it makes this obvious. In reality it was always there. Maybe I’ll edit the page to make this clearer.
Mocking DWR as a result of what someone else builds with it isn’t good criticism.