Uploaded image for project: 'Spring Web Flow'
  1. Spring Web Flow
  2. SWF-1749

SWF makes JSF's ViewState lose CSRF token characteristics

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.4.2
    • Fix Version/s: None
    • Component/s: JSF

      Description

      It's known that JavaServer Faces' ViewState value can be used as a CSRF token to prevent CSRF attacks.

      Anyway, when coupling JavaServer Faces and Spring Web Flow, it seems that the ViewState value loses its anti-CSRF characteristics.

      In particular we noticed that:

      1. the ViewState value is very predictable (e.g.: e1s1, e1s2, e2s1, ...), whilst a CSRF token should be randomly generated
      2. we're able to repeat the same POST request (inclusive of the ViewState) many times, whilst an anti-CSRF policy should prevent it, maybe causing a response with a 403 error code

        Attachments

          Activity

            People

            Assignee:
            rstoya05-aop Rossen Stoyanchev
            Reporter:
            MRacn Marco Redo
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: