javax.faces.ViewState vulnerabilities

koori · 20 Oct 2016, 22:24

currently we are using state saving method as server in the application configuration and all the pages contains unique value on the field "javax.faces.ViewState" & Application submits a serialized object javax.faces.ViewState in a request parameter

how can we avoid vulnerabilities/CSRF attack related to object "javax.faces.ViewState"?

Primeface4.0
JSF 2.0

-<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>

<context-param>
<param-name>org.apache.myfaces.USE_ENCRYPTION</param-name>
<param-value>true</param-value>
</context-param>

kukeltje · 21 Oct 2016, 13:39

Check stackoverflow... This is not a PrimeFaces issue

smokeybandit · 25 Oct 2016, 14:13

http://www.beyondjava.net/blog/jsf-view ... r-attacks/

smokeybandit · 25 Oct 2016, 14:15

kukeltje wrote:Check stackoverflow... This is not a PrimeFaces issue

And by default, ViewState is encrypted anyway.

kukeltje · 25 Oct 2016, 18:12

But in pre 2.2 is was not 100% good

https://java.net/jira/browse/JAVASERVER ... PUBLIC-869

smokeybandit · 25 Oct 2016, 18:20

kukeltje wrote:But in pre 2.2 is was not 100% good

https://java.net/jira/browse/JAVASERVER ... PUBLIC-869

But still a lot better than pre-2.0!

kukeltje · 25 Oct 2016, 20:07

smokeybandit wrote:
kukeltje wrote:But in pre 2.2 is was not 100% good

https://java.net/jira/browse/JAVASERVER ... PUBLIC-869
But still a lot better than pre-2.0!

+1

javax.faces.ViewState vulnerabilities

Who is online