JSF ViewState

What is JSF?

JSF (Java Server Faces) is a Java library used to build UI with reusable components. Communication between Client and Server is made possible by ViewState usage. The most common JSF implementations happens in:

  • Apache MyFaces

  • Oracle Mojarra (JSF reference implementation)

A few words about ViewState

As we mentioned in the chapter above JSF is directly related to ViewState. But what is it?

ViewState holds information about the current view of web applicaiton. It describes which components should be currently displayed to the user.

Client Side

Usage of serialized Java Object with all information about View on client side.

- At least Base64 encoded

- Encrypted and signed before sent to the client

Unsecured modification of the ViewState = Java Object Interference = potential RCE

Information about ViewState can be stored on Client side and Server side. JSF ViewStates are typically automatically embedded into HTML forms as hidden field with the name:

javax.faces.ViewState

They are sent back to the server if the form is submitted.

Server Side

Usage of serialized Java Object with ID that points to information about View on Server Side.

When the JSF ViewState is configured to be stored on the server, the hidden javax.faces.ViewState field contains an identifier that allows the server to retrieve the corresponding state.

In the case of MyFaces, this identifier is actually a serialized Java object.

The preconditions for a successful attack

Now, what are the ingredients for a disaster?

  • unencrypted ViewState

  • Gadget on the classpath of the server

  • In case of Mojarra: ViewState configured to reside on the client

  • In case of MyFaces: ViewState configured to reside on the client or the server

Let’s have a look at those points in relation to the two JSF implementations.

Oracle Mojjara Exploitation

For earlier versions:

  1. Make sure Mojarra is in the version less than 2.2.

  2. Validate that the serialized object is set to be stored on client side.

  3. In the older versions serialized object is not encrypted in any way

For later versions:

  1. Check if com.sun.faces.disableClientStateEncryption is disabled.

MyFaces Exploitation

  1. Create the payload (serialized Java Object) with ysoserial or ysoserial modified.

  2. Use the following script to encrypt payload:

https://hacktricks.boitatech.com.br/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization#custom-encryption

  1. If it does not work check other ysoserial gadgets and make sure the encryption is done with the same algorithms as used in the encryption script.

Deeper understanding of Java JSF ViewState Deserialization

It also contains web application communication schema and example attack.

LogoJava JSF ViewState (.faces) Deserialization | HackTricks - Boitatechhacktricks.boitatech.com.br

Previous.NETNextViewState Encryption / Description Tool

Last updated