myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Robinson" <andrew.rw.robin...@gmail.com>
Subject Re: View state- security
Date Sat, 19 Apr 2008 13:21:55 GMT
Although technically feasible to jack the state, it is not easy.
First, you have to make sure you reproduce the state in such a way
that it restores correctly. There are other complications, but if you
want client side state saving and are worried about hacking and
spying, you could write your own state saving manager that does
encryption and signing. State managers are pluggable, so it isn't that
hard and you could extend an existing one and just encrypt the
results.

Andrew
sent from my iPod

On 4/19/08, Kamal Parmar <parmaka@gmail.com> wrote:
> Hello People,
>
> I am pen-tester so please bear with any lack of knowledge on my part ;)
>
> I am reviewing a MyFaces web application which appears to have very large
> values for View State being posted back.
> The View State, once base64 decoded and gunzipped, measures anywhere between
> 2000 to an amazing 70000 characters. Some of the characters are binary and
> cannot be viewed in a text editor. I am guessing this is because it is
> serialized data so it does not show as character data.
>
> As an indication it starts with:
>
> ...java.lang.Object...XY..s..xp..srsr
> Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY
> ØœJöÏ
> [childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L
>  _componentClasst  Ljava/lang/String;L  _componentIdq ~  [  _facetst
>  [Ljava/lang/Object;xpur
> J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È
> … ª
> xp    sq ~  uq ~      sq ~  pt
> )javax.faces.component.html.HtmlOutputTextt....
>
> Then I get names of beans, properties, methods, navigation actions (next
> actions) and many repititions of WEB-INF and html documents within it.
>
> My questions are:
> 1. How can I deserialise the string without having access to the application
> source code itself? The non-alphanumeric characters really throw me
> off-track and I cannot determine their relevance
> 2. Is it possible for an attacker to bypass application controls by
> inserting references to beans, properties, methods, navigation actions, etc
> which the attacker by design should not really have access to? I am thinking
> it might be possible for an attacker to inject ViewState which deserializes
> to a component tree the attacker should never have access to.
>
> Hope this makes sense. Any help much appreciated.
>
> cheers
>
> Kelly
>

Mime
View raw message