October 27, 2018

CSRF Support Out-Of-Box in EE 7 (JSF 2.2)

Example https://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html


<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core">
<h:head>
    <title>JSF 2.2 CSRF</title>
</h:head>
<h:body>
    <h:form>
        <p>Go to a protected page via postback</p>
        <p>
            <h:commandButton id="button_postback" value="Go to protected view" action="/result" />
        </p>
    </h:form>
</h:body>
</html>

If we look at the generated source, we see that JSF has added a javax.faces.ViewState.

"The hidden view state field is very similar to a CSRF token, but it's purpose is to find the session state associated with the request. Basically, that's already what the session id does. But JSF also supports the browser's "back" button. To do so, it stores more than one session state. The JSF implementation I analyzed this morning, Mojarra 2.2.12, uses an LRU cache with up to 15 entries. In other words: you can go back as far as fifteen steps in the history. That should be enough for most use cases."

"The view state token consists of two parts. The first part never changes. It's associated with the session. The second part is associated with a certain point of time in history. In other words: it changes with every post request. In that, it's similar to the one-time-token I mentioned above."


<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head id="j_idt2">
    <title>JSF 2.2 CSRF</title></head><body>
<form id="j_idt5" name="j_idt5" method="post" action="/example-javaee7/faces/person.xhtml" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="j_idt5" value="j_idt5" />

        <p>Go to a protected page via postback</p>
        <p><input id="button_postback" type="submit" name="button_postback" value="Go to protected view" />
        </p>
        </p><input type="hidden" name="javax.faces.ViewState" id="j_id1:javax.faces.ViewState:0" value="3375434139797034458:2702846074378544391" autocomplete="off" />
</form></body>
</html>

No comments: