myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From karthik kn <keyan...@gmail.com>
Subject Reg vulnerability for Server State saving
Date Mon, 19 Dec 2016 10:44:05 GMT
Hi,
I am using myfaces-1.1.5 and using the following state saving method

<context-param><param-name>javax.faces.STATE_SAVING_METHOD</param-name><param-value>server</param-value></context-param>

However,i see that the object identifier is being sent to the server as
following

<input type="hidden" name="javax.faces.ViewState"
id="javax.faces.ViewState"
value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw"
/></form>

This is the serialized object identifier sent over the network

We are using only https and not http.

Does sending this serialized object identifier without encrypting open any
vulnerability which the attacker could use to his/her advantage ?

-- 
-------------------------
Thanks & Regards

Karthik.K.N

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message