Dissecting Java Server Faces for Penetration Testing - SecNiche ...

More documents

Recommendations

Info

4.5 JSF Version Tracking and DisclosureJSF configuration has inbuilt configuration parameters that are used to disclosethe version of the installed framework. However, it is always taken lightly andis not fixed by the developers or administrators to avoid leakage of the informationin HTTP response headers. It has been noticed that version disclosure mayresult in detecting critical flaws in JSF applications because publicly availableexploit databases can be used to fingerprint the security vulnerabilities presentin the installed JSF framework.In Suns RI JSF implementation, the ”com.sun.faces.disableVersionTracking”configuration parameter is defined explicitly. By default, it is set to false whichmeans application running on the web server will throw the JSF version intothe response headers when the web client queries for it. The collaborativedisclosure of web server version and framework version can be devastative fromthe developers point of view but it is fruitful for pen testing purposes. JSFis not immune to security vulnerabilities [12, 13, and 14] as seen in the recentpast. These security issues should be taken into consideration while deployingJSF applications because information leakage is the basis of a number of webattacks. We conducted generic tests on several websites that are using JSF andfound that more than 85% of the websites are throwing JSF version numberin their response headers out of which several of them were running old andvulnerable versions.4.6 JSF Data ValidationAnyone involved in security understands the importance of proper input validation.JSF offers a few different techniques for validation in order to preventweb attacks such as Cross Site Scripting (XSS). Some of the input validationmodules have been available since JSF 1.2, and others are unique to JSF 2.0.4.6.1 JSF 1.2 ValidationApache MyFaces and the Apache Tomahawk library provide JSF componentsthat can allow for data validation within the UI page itself. One of the morepowerful ways of validating input is by leveraging regular expressions via the¡t:validateRegExpr¿ tag provided by Tomahawk [15]. Consider an examplewhere we wish to validate a ZIP code. A MyFaces example of data validationusing Tomahawk [16] is presented in listing 6.Listing 6: Generic MyFaces Example - Tomahawk16
In this particular example, a regular expression is being used to limit the zipcode to five digits. Notice that you can include an error message as well, and allof this is done within the .xhtml page itself. A similar example using Facelets[17] is presented in listing 7.Listing 7: Generic Facelets ExampleThe JSF Reference Implementation (RI), codenamed ”Mojarra”, comes withits own tag library that also leverages regular expressions. Mojarra’s will perform the same operation as discussed above. Furthermore,Mojarra’s tag library is armed with an tovalidate the proper format of credit cards [18].4.6.2 JSF 2.0 ValidationJSF 2.0 contains a collection of tags called validators. These are built in to theJSF 2.0 core library. JSF developers will find the following tags particularlyuseful for data validation:• : use this to validate that input falls between a minimumand maximum length• : use this to validate that numeric input fallsbetween a minimum and maximum value• : similar to validateLongRange, but used fordouble values• : use this to leverage regular expression validationHere is an example of JSF validators in use as presented in listing 8.User ID : User ID :Listing 8: Generic Usage of JSF Validators17
Page 1 and 2: Dissecting Java Server Faces for Pe
Page 3 and 4: 1 AcknowledgmentsWe would like to t
Page 5 and 6: 3 Inside JSF FrameworkJava Server F
Page 8 and 9: understood. In ASP.Net, the ”View
Page 11 and 12: a large scale. A number of websites
Page 13 and 14: Figure 6: Fuzzing Request / Error i
Page 15: 4.4.1 Secure Way of Configuring Sec
Page 19 and 20: As we can see, this approach allows
Page 21 and 22: 6 About the AuthorsAditya K Sood is
Page 23: [19] JSF Validation Tutorial, http:

Dissecting Java Server Faces for Penetration Testing - SecNiche ...

Create successful ePaper yourself

Delete template?

Save as template?