View state- security

[Kamal Parmar]

Hello People,

I am pen-tester so please bear with any lack of knowledge on my part ;)

I am reviewing a MyFaces web application which appears to have very large
values for View State being posted back.
The View State, once base64 decoded and gunzipped, measures anywhere between
2000 to an amazing 70000 characters. Some of the characters are binary and
cannot be viewed in a text editor. I am guessing this is because it is
serialized data so it does not show as character data.

As an indication it starts with:

...java.lang.Object...XY..s..xp..srsr
Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFYØœJöÏ
[childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L
_componentClasst Ljava/lang/String;L _componentIdq ~ [ _facetst
[Ljava/lang/Object;xpur
J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È…ª
xp   sq ~ uq ~    
sq ~ pt
)javax.faces.component.html.HtmlOutputTextt....

Then I get names of beans, properties, methods, navigation actions (next
actions) and many repititions of WEB-INF and html documents within it.

My questions are:
1. How can I deserialise the string without having access to the application
source code itself? The non-alphanumeric characters really throw me
off-track and I cannot determine their relevance
2. Is it possible for an attacker to bypass application controls by
inserting references to beans, properties, methods, navigation actions, etc
which the attacker by design should not really have access to? I am thinking
it might be possible for an attacker to inject ViewState which deserializes
to a component tree the attacker should never have access to.

Hope this makes sense. Any help much appreciated.

cheers

Kelly