I'm upgrading a webapp from JSF 1.2 to JSF 2.1 (using Apache MyFaces implementation).
The app is also using Seam and to prevent XSRF attacks, I was using the <s:token>
tag.
Now I wonder if the <s:token>
is still necessary with JSF 2.1.
Anyone can provide me with some information on this?
Cheers Frank
JSF 1.x was CSRF sensitive because the value of the hidden input field
javax.faces.ViewState
was easily predictable. It was composed of some fixed prefix value with an incremental numeric suffix. So, when the JSF 1.x webapp has a XSS hole (which is fairly easy to accidently overlook in legacy JSP), one could easily prepare a CSRF attack by predicting the nextjavax.faces.ViewState
value based on the current value (and relying on JSF 1.0/1.1 feature of blindly creating a new view instead of throwingViewExpiredException
).Since JSF 2.x, both XSS and CSRF attacks are much harder to be accomplished. Note that without a XSS hole, it's practically impossible to prepare a successful CSRF attack. JSP's successor Facelets has implicit XSS attack prevention. The only way to have a XSS hole in JSF 2.x is explicitly using
<h:outputText escape="false">
on user-controlled input. Even then if there's one, the hidden input fieldjavax.faces.ViewState
is now a long and auto-generated value. It's not possible to predict the next value for this.So, the
<s:token>
has not really a value anymore in JSF 2.x.See also: