Re: View state- security

[Glauco P. Gomes]

This is currently available in Myfaces, see: http://wiki.apache.org/myfaces/Secure_Your_Application Glauco P. Gomes Andrew Robinson escreveu: Although technically feasible to jack the state, it is not easy. First, you have to make sure you reproduce the state in such a way that it restores correctly. There are other complications, but if you want client side state saving and are worried about hacking and spying, you could write your own state saving manager that does encryption and signing. State managers are pluggable, so it isn't that hard and you could extend an existing one and just encrypt the results. Andrew sent from my iPod On 4/19/08, Kamal Parmar <[EMAIL PROTECTED]> wrote: Hello People, I am pen-tester so please bear with any lack of knowledge on my part ;) I am reviewing a MyFaces web application which appears to have very large values for View State being posted back. The View State, once base64 decoded and gunzipped, measures anywhere between 2000 to an amazing 70000 characters. Some of the characters are binary and cannot be viewed in a text editor. I am guessing this is because it is serialized data so it does not show as character data. As an indication it starts with: ...java.lang.Object...XY..s..xp..srsr Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY ØœJöÏ [childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L _componentClasst Ljava/lang/String;L _componentIdq ~ [ _facetst [Ljava/lang/Object;xpur J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È … ª xp sq ~ uq ~ sq ~ pt )javax.faces.component.html.HtmlOutputTextt.... Then I get names of beans, properties, methods, navigation actions (next actions) and many repititions of WEB-INF and html documents within it. My questions are: 1. How can I deserialise the string without having access to the application source code itself? The non-alphanumeric characters really throw me off-track and I cannot determine their relevance 2. Is it possible for an attacker to bypass application controls by inserting references to beans, properties, methods, navigation actions, etc which the attacker by design should not really have access to? I am thinking it might be possible for an attacker to inject ViewState which deserializes to a component tree the attacker should never have access to. Hope this makes sense. Any help much appreciated. cheers Kelly