我们有一个 JSF2.1.7 应用程序,我们的 IT 安全发现如下问题
In Browser:
1) Get login Page.
2) Post Login Page with UserName/Password & submit&JSFViewStateId_1&JSessionID_1
3)Successful login.
在几分钟内,如果我们使用旧的 ViewState 和新的 JSession 发出与下面相同的 http 请求。
1) Post Login page with UserName/Password & submit&JSFViewStateId_1&JSessionID_2
2) Successful Login
想知道,旧的视图状态是如何被服务器接受的,当第二个请求发出时,它不应该报告视图过期吗?服务器是否将 ViewSTate 和 JSession ID 验证为组合身份验证。
That's only possible if the javax.faces.STATE_SAVING_METHOD is set to client. The javax.faces.ViewState does then not represent the unique view state identifier referencing a view state which is stored in the user session, but it represents instead the whole view state itself, in serialized flavor. The session ID is then not relevant anymore.
The webapp being tested has apparently client side state saving enabled. Whether that's a security problem is a second. It would only be possible to extract and send the view state to a malicious server when there's a XSS hole. JSF has by itself very strong builtin XSS prevention which the developer can only disable by explicitly using escape="false" while redisplaying user-controlled data. Even if there was a XSS hole, then it would also be possible to send the session ID along. It wouldn't have been more secure with server side state saving.