Ed Burns's blog

My pages	Projects	Communities	java.net

Get Involved About java.net Request a Project Publicize your Project Submit Content java-net Project Java.net Enhancements Site Help Report Inappropriate Content Get Informed Articles Blogs Events java.net Online Books java.net Archives Get Connected java.net Forums Wiki Javapedia People Partners Jobs RSS Feeds Java User Groups Search Web and Projects: Online Books: java.net on MarkMail: Advanced Search
	Ed Burns Ed Burns is a senior staff engineer at Sun Microsystems. Ed has worked on a wide variety of client and server side web technologies since 1994, including NCSA Mosaic, Mozilla, the Sun Java Plugin, Jakarta Tomcat and, most recently JavaServer Faces. Ed is currently the co-spec lead for JavaServer Faces. Ed Burns's blog Trustwave SpiderLabs sets sights on Mojarra, MyFaces Posted by edburns on January 31, 2010 at 1:11 PM PST I received an email from core Mojarra team member Jim Driscoll, who was inexplicably laid off from Sun after its recent acquisition by Oracle, about a talk at next week’s BlackHat Conference in Arlington, VA, U.S.A.. Jim pointed out that two security luminaries from the elite SpiderLabs team from Trustwave are giving a talk at BlackHat about view state security, specifically focusing on Mojarra and MyFaces. Cursory research on the talk found two articles: one by Kelly Jackson Higgins at DarkReading, and another (which appears to be based on the first) at SC Magazine. The talk will be given by David Byrne (the guy who released grendel, not the guy from Talking Heads), and Rohini Sulatycki. For my money, the most important quote in the former article is, “There’s no patch to fix these flaws, either. ‘All developers have to do is perform a configuration change,’ he says, and encrypt view state.” I haven’t seen their presentation yet, but for Mojarra, you can put lines 16 - 24 of the following web.xml into your web.xml to ensure that client state will be encrypted. <?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>/faces/*</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>faces/index.xhtml</welcome-file> </welcome-file-list> <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>client</param-value> </context-param> <env-entry> <env-entry-name>ClientStateSavingPassword</env-entry-name> <env-entry-type>java.lang.String</env-entry-type> <env-entry-value>driscoll</env-entry-value> </env-entry> </web-app> A zipped netbeans project that does this is available at <http://mediacast.sun.com/users/edburns00/media/TestClientStatePassword.zip> » Login or register to post comments 997 visits Printer-friendly version Related Topics >> Blogs Java Enterprise Security Comments Comments are listed in date ascending order (oldest first) Config for Apache MyFaces Submitted by mwessendorf on Mon, 2010-02-01 14:24. Hello Ed, similar to Mojarra you can avoid this on Apache MyFaces as well. There are some options documented here. http://wiki.apache.org/myfaces/Secure_Your_Application -Matthias Login or register to post comments Yes, this is known problem, Submitted by alexsmirnov on Sun, 2010-01-31 19:18. Yes, this is known problem, and that is why both JSF implementations have the view state encryption feature. Another hole has been introduced by JSF 2.0 AJAX feature there list of components to execute at form submission can be sent from client, so attacker has ability to change application logic ( bypass validation of some fields, for example ). There is no simple way to protect application from such vulnerability except additional checks in application code. That is why I've always been against "execute" or "update" parameters in AJAX request. Login or register to post comments	Categories Java Enterprise Community J2EE Patterns Business Extreme Programming Programming JSR JavaOne Security Netbeans Java Desktop Glassfish Blogs Web Applications General Java Patterns Databases Performance Education Archives January 2010 December 2009 November 2009 October 2009 September 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 June 2008 April 2008 November 2007 August 2007 July 2007 May 2007 March 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 August 2004 June 2004 Recent Entries Trustwave SpiderLabs sets sights on Mojarra, MyFaces A Response to Peter Thomas's JSF Critical Screed An Analysis of Peter Thomas's JSF Critical Rant

Feedback | FAQ | Terms of Use
Privacy | Trademarks | Site Map

Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.

Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Get Involved

Get Informed

Get Connected

Search

Ed Burns

Trustwave SpiderLabs sets sights on Mojarra, MyFaces

Config for Apache MyFaces

Yes, this is known problem,

Categories

Archives

Recent Entries