Dissecting Java Server Faces for Penetration Testing - SecNiche ...

More documents

Recommendations

Info

to preserve integrity.• It is also possible to design custom CSRF filters with strong functionsthat generate random tokens. This is possible by creating a CSRF Sessionlistener class that overrides every request with HTTP listener class andappends a random token in every request for a particular session. Thereis also a possibility of adding an element in thetag that automatically initiates the CSRF protection. Framework thatsupports are Apache Shale, MyFaces and JBOSS Seam.• The real world examples will look like as presented in listing 3Listing 3: Implementing CSRF Tokens in JSF4.4 Security Descriptors Fallacy - ConfigurationThe declaration of security parameters in web.xml are imperative especially thesecurity elements that are used for preserving the confidentiality and integrityof the ViewState. It has been noticed that declaration of ”ALGORTIHM” inuppercase in ”org.apache.myfaces.ALGORITHM” does not initialize the InitializationVector (IV) in Apache MyFaces. This is a bad design practice and couldhave devastative impacts on the security of a JSF application. The source codeof the ”utils.StateUItils” class (which holds security configuration elements) aspresented in listing 4 which clearly reflects that these parameters have to be appliedin lower case but the documentation of various JSF versions is not writtenappropriately and is not inline with the real code. In other words, the documentationis misleading.p u b l i c s t a t i c f i n a l S t r i n g INIT PREFIX = ” org . apache . myfaces . ” ;p u b l i c s t a t i c f i n a l S t r i n g INIT ALGORITHM = INIT PREFIX + ”ALGORITHM” ;p r i v a t e s t a t i c S t r i n g findAlgorithm ( ExternalContext ctx ) {S t r i n g a l g o r i t h m = ctx . g e t I n i t P a r a m e t e r (INIT ALGORITHM) ;i f ( a l g o r i t h m == n u l l ){a l g o r i t h m = ctx . g e t I n i t P a r a m e t e r (INIT ALGORITHM .toLowerCase ( ) ) ;}r e t u r n findAlgorithm ( algorithm ) ;}. . Truncated . .Listing 4: Explicit Specification - Implementing to Lower Case14
4.4.1 Secure Way of Configuring Security DescriptorsThe best practice is to declare the configuration parameters in web.xml as presentedin listing 5.javax . f a c e s .STATE SAVING METHODc l i e n t org . apache . myfaces . s e c r e t MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzorg . apache . myfaces . algorithm AESorg . apache . myfaces . a l g o r i t h m . parameters CBC/PKCS5Paddingorg . apache . myfaces . a l g o r i t h m . iv NzY1NDMyMTA3NjU0MzIxMA==org . apache . myfaces . s e c r e t . cache false Listing 5: Secure Way of Declaring Encryption Parameters in JSFThis point should be taken into account while doing penetration testing so thatenhanced attacks can be tested against the inappropriate implementation ofJSF security.NOTE: It has been noticed that JSF framework only encrypts ViewState inorder to provide confidentiality but there is no standard implementation of MACby default so that the integrity of ViewState is preserved. While we know thatJSF security greatly depends on the web.xml file, the MAC functionality is alsointroduced in it. The developer has to explicitly specify the MAC algorithm,key and caching.The parameters that are used nowadays are ”org.apache.myfaces.MAC ALGORITHM”,”org.apache.myfaces.MAC SECRET” and ” org.apache.myfaces.MAC SECRET.CACHE”respectively. Always declare all of these parameters in lower case.15
Page 1 and 2: Dissecting Java Server Faces for Pe
Page 3 and 4: 1 AcknowledgmentsWe would like to t
Page 5 and 6: 3 Inside JSF FrameworkJava Server F
Page 8 and 9: understood. In ASP.Net, the ”View
Page 11 and 12: a large scale. A number of websites
Page 13: Figure 6: Fuzzing Request / Error i
Page 17 and 18: In this particular example, a regul
Page 19 and 20: As we can see, this approach allows
Page 21 and 22: 6 About the AuthorsAditya K Sood is
Page 23: [19] JSF Validation Tutorial, http:

Dissecting Java Server Faces for Penetration Testing - SecNiche ...

Create successful ePaper yourself

Delete template?

Save as template?