开发者

JSF view id as request tokens

I read somewher开发者_JAVA技巧e the view ids used by JSF framework have a happy side effect of acting as request tokens and thus foiling CSRF. Can someone please tell me if this means I dont have to do anything from a programming point of view (ie). As a programmer, if I use JSF I dont have to worry about CSRF?


JSF has indeed "builtin" protection against CSRF by the javax.faces.ViewState. On JSF 1.x it's is only maybe "too easy" to guess. This has been fixed for JSF 2.1. See also JSF impl issue 812 and JSF spec issue 869.

Your major concerns should be XSS and SQL injections. An succesful XSS attack would be a source for a guaranteed-to-be-succesful CSRF attack. To avoid XSS, ensure that you're (re)displaying all user-controlled input using h:outputText rather than as "plain vanilla" template text. A SQL injection doesn't necessarily lead to potential CSRF holes, but it would leak or malform sensitive data. To avoid this, ensure that you're using a solid ORM framework which makes use of named queries (JPA, Hibernate, etc) or when you're on "plain vanilla" JDBC, ensure that you're using PreparedStatement instead of Statement all the way.


Is this guaranteed? Some implementations of JSF uses a sequential id that can be guessed by an attacker.

Here's an article describing the Sun JSF-RI doing sequential view id generation instead of the more accepted Java SecureRandom:

http://seamframework.org/Documentation/CrossSiteRequestForgery


Sorry on the other day, I was wrong "I told that My JSF application didnt report any CSRF problem". But now I would like to tell you that JSF doesnt have "builtin" protection against CSRF. I have tested with the CSRFTester tool, it shows My JSF application is vulnerable to CSRF attacks. And also I would like to tell you that all Java EE applications are vulnerable to CSRF attacks. I found one possible way to protect the application from the CSRF attack is to generate random tokens and append it to the URL. Thanks!!

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜