Insecure JSF ViewState

Docs > Alerts

Details
Alert ID	90001
Alert Type	Passive
Status	release
Risk	Medium
CWE	642
WASC	14
Technologies Targeted	All
Tags	CWE-642 OWASP_2017_A06 OWASP_2021_A04
More Info	Scan Rule Help

Summary

The response at the following URL contains a ViewState value that has no cryptographic protections.

Solution

Secure VIEWSTATE with a MAC specific to your environment.

Other Info

JSF ViewState [<input type="hidden" id="javax.faces.viewstate" value="1231"] is insecure.

References

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

Code

org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java