You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Kamal Parmar <pa...@gmail.com> on 2008/04/19 12:51:14 UTC
View state- security
Hello People,
I am pen-tester so please bear with any lack of knowledge on my part ;)
I am reviewing a MyFaces web application which appears to have very large
values for View State being posted back.
The View State, once base64 decoded and gunzipped, measures anywhere between
2000 to an amazing 70000 characters. Some of the characters are binary and
cannot be viewed in a text editor. I am guessing this is because it is
serialized data so it does not show as character data.
As an indication it starts with:
...java.lang.Object...XY..s..xp..srsr
Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY�ØœJöÏ�
�[childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L
�_componentClasst �Ljava/lang/String;L �_componentIdq ~ �[ �_facetst
�[Ljava/lang/Object;xpur
J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È�…ª�
xp �sq ~ �uq ~ � �sq ~ �pt
)javax.faces.component.html.HtmlOutputTextt....
Then I get names of beans, properties, methods, navigation actions (next
actions) and many repititions of WEB-INF and html documents within it.
My questions are:
1. How can I deserialise the string without having access to the application
source code itself? The non-alphanumeric characters really throw me
off-track and I cannot determine their relevance
2. Is it possible for an attacker to bypass application controls by
inserting references to beans, properties, methods, navigation actions, etc
which the attacker by design should not really have access to? I am thinking
it might be possible for an attacker to inject ViewState which deserializes
to a component tree the attacker should never have access to.
Hope this makes sense. Any help much appreciated.
cheers
Kelly
Re: View state- security
Posted by pa...@gmail.com.
Thanks guys. That was very helpful.
cheers
K
On Sun, Apr 20, 2008 at 12:14 AM, Glauco P. Gomes <gl...@yahoo.com.br>
wrote:
> This is currently available in Myfaces, see:
>
> http://wiki.apache.org/myfaces/Secure_Your_Application
>
> Glauco P. Gomes
>
> Andrew Robinson escreveu:
>
> Although technically feasible to jack the state, it is not easy.
> First, you have to make sure you reproduce the state in such a way
> that it restores correctly. There are other complications, but if you
> want client side state saving and are worried about hacking and
>
> spying, you could write your own state saving manager that does
> encryption and signing. State managers are pluggable, so it isn't that
> hard and you could extend an existing one and just encrypt the
> results.
>
> Andrew
> sent from my iPod
>
> On 4/19/08, Kamal Parmar <pa...@gmail.com> <pa...@gmail.com> wrote:
>
> Hello People,
>
> I am pen-tester so please bear with any lack of knowledge on my part ;)
>
> I am reviewing a MyFaces web application which appears to have very large
> values for View State being posted back.
>
> The View State, once base64 decoded and gunzipped, measures anywhere between
> 2000 to an amazing 70000 characters. Some of the characters are binary and
> cannot be viewed in a text editor. I am guessing this is because it is
>
> serialized data so it does not show as character data.
>
> As an indication it starts with:
>
> ...java.lang.Object...XY..s..xp..srsr
> Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY
>
> ØœJöÏ
> [childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L
> _componentClasst Ljava/lang/String;L _componentIdq ~ [ _facetst
> [Ljava/lang/Object;xpur
> J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È
>
> … ª
> xp sq ~ uq ~ sq ~ pt
> )javax.faces.component.html.HtmlOutputTextt....
>
> Then I get names of beans, properties, methods, navigation actions (next
> actions) and many repititions of WEB-INF and html documents within it.
>
> My questions are:
> 1. How can I deserialise the string without having access to the application
> source code itself? The non-alphanumeric characters really throw me
> off-track and I cannot determine their relevance
>
> 2. Is it possible for an attacker to bypass application controls by
> inserting references to beans, properties, methods, navigation actions, etc
> which the attacker by design should not really have access to? I am thinking
>
> it might be possible for an attacker to inject ViewState which deserializes
> to a component tree the attacker should never have access to.
>
> Hope this makes sense. Any help much appreciated.
>
> cheers
>
> Kelly
>
>
>
>
Re: View state- security
Posted by Andrew Robinson <an...@gmail.com>.
Although technically feasible to jack the state, it is not easy.
First, you have to make sure you reproduce the state in such a way
that it restores correctly. There are other complications, but if you
want client side state saving and are worried about hacking and
spying, you could write your own state saving manager that does
encryption and signing. State managers are pluggable, so it isn't that
hard and you could extend an existing one and just encrypt the
results.
Andrew
sent from my iPod
On 4/19/08, Kamal Parmar <pa...@gmail.com> wrote:
> Hello People,
>
> I am pen-tester so please bear with any lack of knowledge on my part ;)
>
> I am reviewing a MyFaces web application which appears to have very large
> values for View State being posted back.
> The View State, once base64 decoded and gunzipped, measures anywhere between
> 2000 to an amazing 70000 characters. Some of the characters are binary and
> cannot be viewed in a text editor. I am guessing this is because it is
> serialized data so it does not show as character data.
>
> As an indication it starts with:
>
> ...java.lang.Object...XY..s..xp..srsr
> Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY
> ØœJöÏ
> [childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L
> _componentClasst Ljava/lang/String;L _componentIdq ~ [ _facetst
> [Ljava/lang/Object;xpur
> J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È
> … ª
> xp sq ~ uq ~ sq ~ pt
> )javax.faces.component.html.HtmlOutputTextt....
>
> Then I get names of beans, properties, methods, navigation actions (next
> actions) and many repititions of WEB-INF and html documents within it.
>
> My questions are:
> 1. How can I deserialise the string without having access to the application
> source code itself? The non-alphanumeric characters really throw me
> off-track and I cannot determine their relevance
> 2. Is it possible for an attacker to bypass application controls by
> inserting references to beans, properties, methods, navigation actions, etc
> which the attacker by design should not really have access to? I am thinking
> it might be possible for an attacker to inject ViewState which deserializes
> to a component tree the attacker should never have access to.
>
> Hope this makes sense. Any help much appreciated.
>
> cheers
>
> Kelly
>
Re: View state- security
Posted by Scott O'Bryan <da...@gmail.com>.
Kamal Parmar wrote:
> Hello People,
>
> I am pen-tester so please bear with any lack of knowledge on my part ;)
>
> I am reviewing a MyFaces web application which appears to have very
> large values for View State being posted back.
> The View State, once base64 decoded and gunzipped, measures anywhere
> between 2000 to an amazing 70000 characters. Some of the characters
> are binary and cannot be viewed in a text editor. I am guessing this
> is because it is serialized data so it does not show as character data.
>
> As an indication it starts with:
>
> ...java.lang.Object...XY..s..xp..srsr
> Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY�ØœJöÏ�
> �[childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L
> �_componentClasst �Ljava/lang/String;L �_componentIdq ~ �[ �_facetst
> �[Ljava/lang/Object;xpur
> J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È�…ª�
> xp �sq ~ �uq ~ � �sq ~ �pt
> )javax.faces.component.html.HtmlOutputTextt....
>
> Then I get names of beans, properties, methods, navigation actions
> (next actions) and many repititions of WEB-INF and html documents
> within it.
>
> My questions are:
> 1. How can I deserialise the string without having access to the
> application source code itself? The non-alphanumeric characters really
> throw me off-track and I cannot determine their relevance
You would need to add your own StateManager which would
serialize/deserialize the data yourself. Seems to me though that this
makes it MORE secure rather then less.
> 2. Is it possible for an attacker to bypass application controls by
> inserting references to beans, properties, methods, navigation
> actions, etc which the attacker by design should not really have
> access to? I am thinking it might be possible for an attacker to
> inject ViewState which deserializes to a component tree the attacker
> should never have access to.
These are component values, not model information. While I wouldn't say
it's impossible, I don't think there is much exposure here. It's passed
security experts at Oracle, IBM, and Sun. If you are worried about it,
turn on server-side state saving. This will simply save a token and the
view-state would then be stored solely on the server.
Scott
>
> Hope this makes sense. Any help much appreciated.
>
> cheers
>
> Kelly
>
>
>