Security Techniques

JSF ViewState upside-down

Renaud Dubourguais and Nicolas Collignon released a nice paper on Java Server Faces security titled JSF ViewState upside-down (

JSF implementations are often used in J2EE applications. JSF uses ViewStates which have already been discussed for cryptographic weaknesses like with the oracle padding attack [PADDING]. ViewStates have also been abused to create client side attacks like Cross-Site Scripting [XSS]. But as shown in this research, they can also be used to perform much more dangerous attacks on web applications:

  • Business data leak
  • Direct object references exploitation
  • Bypassing user inputs validators
  • Arbitrary code execution