Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for Insecure JSF ViewState

HawkScan Test Info for Insecure JSF ViewState

Insecure JSF ViewState

Reference

Plugin Id: 90001 | CWE: 642

Remediation

  1. Enable ViewState MAC: Configure the application to enable Machine Authentication Check (MAC) on ViewState data.
  2. Implement encryption: Enable ViewState encryption to protect sensitive state information from tampering.
  3. Use strong keys: Ensure strong, application-specific keys are used for ViewState protection.
  4. Validate configuration: Verify that ViewState protection is properly configured in web.config or application settings.
  5. Regular testing: Periodically test ViewState security to ensure protections remain effective.

About

Insecure JSF ViewState occurs when web applications expose ViewState data without proper cryptographic protections such as Message Authentication Codes (MAC) or encryption. This allows attackers to potentially tamper with application state, manipulate user sessions, or perform unauthorized actions.

Risks

High Unprotected ViewState can enable state tampering attacks, session manipulation, privilege escalation, and unauthorized access to application functionality through ViewState deserialization vulnerabilities.