Re: View state- security

Mon, 21 Apr 2008 11:35:29 -0700 

Kamal Parmar wrote:

Hello People,

I am pen-tester so please bear with any lack of knowledge on my part ;)
I am reviewing a MyFaces web application which appears to have very large values for View State being posted back. The View State, once base64 decoded and gunzipped, measures anywhere between 2000 to an amazing 70000 characters. Some of the characters are binary and cannot be viewed in a text editor. I am guessing this is because it is serialized data so it does not show as character data. 

As an indication it starts with:
...java.lang.Object...XY..s..xp..srsr Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFYØœJöÏ [childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L _componentClasst Ljava/lang/String;L _componentIdq ~ [ _facetst [Ljava/lang/Object;xpur J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È…ª xp sq ~ uq ~  sq ~ pt )javax.faces.component.html.HtmlOutputTextt....
Then I get names of beans, properties, methods, navigation actions (next actions) and many repititions of WEB-INF and html documents within it. 

My questions are:
1. How can I deserialise the string without having access to the application source code itself? The non-alphanumeric characters really throw me off-track and I cannot determine their relevance
You would need to add your own StateManager which would serialize/deserialize the data yourself. Seems to me though that this makes it MORE secure rather then less.
2. Is it possible for an attacker to bypass application controls by inserting references to beans, properties, methods, navigation actions, etc which the attacker by design should not really have access to? I am thinking it might be possible for an attacker to inject ViewState which deserializes to a component tree the attacker should never have access to.
These are component values, not model information. While I wouldn't say it's impossible, I don't think there is much exposure here. It's passed security experts at Oracle, IBM, and Sun. If you are worried about it, turn on server-side state saving. This will simply save a token and the view-state would then be stored solely on the server. 

Scott


Hope this makes sense. Any help much appreciated.

cheers

Kelly

Reply via email to