JSF ViewState upside-down

Renaud Dubourguais and Nicolas Collignon released a nice paper on Java Server Faces security titled JSF ViewState upside-down (http://www.synacktiv.fr/ressources/JSF_ViewState_InYourFace.pdf).

JSF implementations are often used in J2EE applications. JSF uses ViewStates which have already been discussed for cryptographic weaknesses like with the oracle padding attack [PADDING]. ViewStates have also been abused to create client side attacks like Cross-Site Scripting [XSS]. But as shown in this research, they can also be used to perform much more dangerous attacks on web applications: