Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SWF makes JSF's ViewState lose CSRF token characteristics [SWF-1749] #924

Open
spring-operator opened this issue Aug 6, 2021 · 0 comments
Open

SWF makes JSF's ViewState lose CSRF token characteristics [SWF-1749] #924

spring-operator opened this issue Aug 6, 2021 · 0 comments
Labels
in: integration status: waiting-for-triage We need additional information before we can continue

Comments

@spring-operator
Copy link
Contributor

Marco Redo opened SWF-1749 and commented

It's known that JavaServer Faces' ViewState value can be used as a CSRF token to prevent CSRF attacks.

Anyway, when coupling JavaServer Faces and Spring Web Flow, it seems that the ViewState value loses its anti-CSRF characteristics.

In particular we noticed that:

  1. the ViewState value is very predictable (e.g.: e1s1, e1s2, e2s1, ...), whilst a CSRF token should be randomly generated
  2. we're able to repeat the same POST request (inclusive of the ViewState) many times, whilst an anti-CSRF policy should prevent it, maybe causing a response with a 403 error code

Affects: 2.4.2

1 votes, 2 watchers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: integration status: waiting-for-triage We need additional information before we can continue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@spring-operator