The Myfaces serialized view state strings are vulnerable hence need some sample code to test De-serialization of untrusted data with myfaces 1.1 against wildfly 10.
Asked
Active
Viewed 214 times
1 Answers
2
The Myfaces Viewstates are indeed vulnerable to Java Deserialization attack, when used in client-side saving mode. Luca Carettoni exploited and reported the flaw in Sun Java Web Console, back in 2008. Sun then decided to use server-side saving for view states.
If you can afford to use server-side saving mode, use the following context parameter :
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
If you want to continue using client-side saving for view states, make sure you encrypt and decrypt the view states with a strong algorithm, by setting following context-parameters, as described in myfaces wiki.
Camille Vienot
- 727
- 8
- 6