A bit more snooping around uncovered that the AJAX eval () preview script wasn’t secured by a CSRF token which could easily be exploited by a malicious hacker.

Of the 12 popular AJAX frameworks investigated by Fortify, only one—DWR 2.0—is designed to prevent malicious scripters from exploiting potential CSRF vulnerabilities.