It's known that JavaServer Faces' ViewState value can be used as a CSRF token to prevent CSRF attacks.
Anyway, when coupling JavaServer Faces and Spring Web Flow, it seems that the ViewState value loses its anti-CSRF characteristics.
In particular we noticed that:
- the ViewState value is very predictable (e.g.: e1s1, e1s2, e2s1, ...), whilst a CSRF token should be randomly generated
- we're able to repeat the same POST request (inclusive of the ViewState) many times, whilst an anti-CSRF policy should prevent it, maybe causing a response with a 403 error code