myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Chandler" <>
Subject Re: Spoofing commandLink
Date Wed, 13 Dec 2006 22:03:36 GMT

I can't speak to Tomahawk's dataTable or updateActionListener, but
MyFaces' <h:dataTable> uses simple index values (0,1,2...) for each
row. By changing the index in the request, a hacker can access a
different row, but only from the set of rows that were in the data set
bound to the dataTable. I suspect that the Tomahawk tags behave the
same way. The safest way for you to check any such JSF behavior is to
grab a proxy tool like Paros that will let you inspect (and modify!)
the content of each request/response.

Also see for a link to a recent
ApacheCon presentation on securing JSF apps against parameter
tampering and other kinds of attacks.

As an aside, if you find that you need to put IDs in the URL (to
detect stale result sets or allow detail page bookmarks, for example),
you could use a JSF converter to hash the ID in the browser in order
to protect against parameter tampering as you've described.


On 12/13/06, Kevin Galligan <> wrote:
> I've been wondering something for a little while now.  Some of the crud
> style links in my app use 'h:commandLink', with 't:updateActionListener' to
> set the particular element id value for that page.  In days past I'd put the
> id on the query string, so like ...
> /app/
> Now, obviously, you had to be careful because somebody could change the id
> value manually.  With JSF, using t:updateActionListener, can somebody change
> the id value sent?  If I'm 100% sure they couldn't, I could relax the access
> checking a little.
> Most of these links are in t:dataTable's, with preserveDataModel="true".  If
> state is kept on the server, or encrypted on client (I think you can do
> that, right?), do I have to worry about the user getting access to something
> they shouldn't?
> Thanks in advance,
> -Kevin

David Chandler
Development Coach

View raw message