spring-webflow icon indicating copy to clipboard operation
spring-webflow copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

SWF makes JSF's ViewState lose CSRF token characteristics [SWF-1749]

Open spring-operator opened this issue 3 years ago • 0 comments

Marco Redo opened SWF-1749 and commented

It's known that JavaServer Faces' ViewState value can be used as a CSRF token to prevent CSRF attacks.

Anyway, when coupling JavaServer Faces and Spring Web Flow, it seems that the ViewState value loses its anti-CSRF characteristics.

In particular we noticed that:

  1. the ViewState value is very predictable (e.g.: e1s1, e1s2, e2s1, ...), whilst a CSRF token should be randomly generated
  2. we're able to repeat the same POST request (inclusive of the ViewState) many times, whilst an anti-CSRF policy should prevent it, maybe causing a response with a 403 error code

Affects: 2.4.2

1 votes, 2 watchers

spring-operator avatar Aug 06 '21 14:08 spring-operator