Thanks guys. That was very helpful. cheers
K On Sun, Apr 20, 2008 at 12:14 AM, Glauco P. Gomes <[EMAIL PROTECTED]> wrote: > This is currently available in Myfaces, see: > > http://wiki.apache.org/myfaces/Secure_Your_Application > > Glauco P. Gomes > > Andrew Robinson escreveu: > > Although technically feasible to jack the state, it is not easy. > First, you have to make sure you reproduce the state in such a way > that it restores correctly. There are other complications, but if you > want client side state saving and are worried about hacking and > > spying, you could write your own state saving manager that does > encryption and signing. State managers are pluggable, so it isn't that > hard and you could extend an existing one and just encrypt the > results. > > Andrew > sent from my iPod > > On 4/19/08, Kamal Parmar <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: > > Hello People, > > I am pen-tester so please bear with any lack of knowledge on my part ;) > > I am reviewing a MyFaces web application which appears to have very large > values for View State being posted back. > > The View State, once base64 decoded and gunzipped, measures anywhere between > 2000 to an amazing 70000 characters. Some of the characters are binary and > cannot be viewed in a text editor. I am guessing this is because it is > > serialized data so it does not show as character data. > > As an indication it starts with: > > ...java.lang.Object...XY..s..xp..srsr > Gorg.apache.myfaces.application.TreeStructureManager$TreeStructComponentFY > > ØœJöÏ > [childrentJ[Lorg/apache/myfaces/application/TreeStructureManager$TreeStructComponent;L > _componentClasst Ljava/lang/String;L _componentIdq ~ [ _facetst > [Ljava/lang/Object;xpur > J[Lorg.apache.myfaces.application.TreeStructureManager$TreeStructComponent;º¬'È > > … ª > xp sq ~ uq ~ sq ~ pt > )javax.faces.component.html.HtmlOutputTextt.... > > Then I get names of beans, properties, methods, navigation actions (next > actions) and many repititions of WEB-INF and html documents within it. > > My questions are: > 1. How can I deserialise the string without having access to the application > source code itself? The non-alphanumeric characters really throw me > off-track and I cannot determine their relevance > > 2. Is it possible for an attacker to bypass application controls by > inserting references to beans, properties, methods, navigation actions, etc > which the attacker by design should not really have access to? I am thinking > > it might be possible for an attacker to inject ViewState which deserializes > to a component tree the attacker should never have access to. > > Hope this makes sense. Any help much appreciated. > > cheers > > Kelly > > > >
