Dissecting Java Server Faces for Penetration Testing - SecNiche ...

More documents

Recommendations

Info

Contents1 Acknowledgments 32 Overview 43 Inside JSF Framework 53.1 JSF Security Architecture . . . . . . . . . . . . . . . . . . . . . . 53.1.1 JSF Faces-Config.xml and Web.xml . . . . . . . . . . . . 64 Penetration Testing JSF Framework 74.1 JSF ViewState Anatomy . . . . . . . . . . . . . . . . . . . . . . 74.1.1 Differential Behavior - ViewState in ASP.NET and JSF . 74.2 Scrutinizing Padding - Testing Oracle . . . . . . . . . . . . . . . 94.2.1 Experiment - Fuzzing Oracle . . . . . . . . . . . . . . . . 114.3 JSF Anti CSRF - Truth Behind the Scenes . . . . . . . . . . . . 114.3.1 Implementing CSRF Protection - The Right Way . . . . . 134.4 Security Descriptors Fallacy - Configuration . . . . . . . . . . . 144.4.1 Secure Way of Configuring Security Descriptors . . . . . . 154.5 JSF Version Tracking and Disclosure . . . . . . . . . . . . . . . . 164.6 JSF Data Validation . . . . . . . . . . . . . . . . . . . . . . . . . 164.6.1 JSF 1.2 Validation . . . . . . . . . . . . . . . . . . . . . . 164.6.2 JSF 2.0 Validation . . . . . . . . . . . . . . . . . . . . . . 174.6.3 Custom Validations . . . . . . . . . . . . . . . . . . . . . 185 Conclusion 206 About the Authors 217 References 222
1 AcknowledgmentsWe would like to thank couple of our friends and security researchers who helpedus in shaping this paper.• Giorge Maone (NoScript)• Juliano Rizzo (Netifera)In addition, we would also like to thank Gary McGraw for providing usefulinsight into the paper. A sincere gratitude to all the researchers who are engagedin constructive research for the security community. Lastly, we sincerely wantto thank our security teams at SecNiche Security Labs and Security Compassrespectively for supporting us in doing security research.3
Page 1: Dissecting Java Server Faces for Pe
Page 5 and 6: 3 Inside JSF FrameworkJava Server F
Page 8 and 9: understood. In ASP.Net, the ”View
Page 11 and 12: a large scale. A number of websites
Page 13 and 14: Figure 6: Fuzzing Request / Error i
Page 15 and 16: 4.4.1 Secure Way of Configuring Sec
Page 17 and 18: In this particular example, a regul
Page 19 and 20: As we can see, this approach allows
Page 21 and 22: 6 About the AuthorsAditya K Sood is
Page 23: [19] JSF Validation Tutorial, http:

Dissecting Java Server Faces for Penetration Testing - SecNiche ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?