Skip to content

SWF makes JSF's ViewState lose CSRF token characteristics [SWF-1749] #924

New issue
New issue
Open
Open
SWF makes JSF's ViewState lose CSRF token characteristics [SWF-1749]#924
Labels
in: integrationstatus: waiting-for-triageWe need additional information before we can continue
@spring-operator

Description

@spring-operator
spring-operator
opened on Aug 6, 2021

Marco Redo opened SWF-1749 and commented

It's known that JavaServer Faces' ViewState value can be used as a CSRF token to prevent CSRF attacks.

Anyway, when coupling JavaServer Faces and Spring Web Flow, it seems that the ViewState value loses its anti-CSRF characteristics.

In particular we noticed that:

  1. the ViewState value is very predictable (e.g.: e1s1, e1s2, e2s1, ...), whilst a CSRF token should be randomly generated
  2. we're able to repeat the same POST request (inclusive of the ViewState) many times, whilst an anti-CSRF policy should prevent it, maybe causing a response with a 403 error code

Affects: 2.4.2

1 votes, 2 watchers

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: integrationstatus: waiting-for-triageWe need additional information before we can continue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions