primefaces - IBM AppScan - Java 反序列化代码执行 - JSF 2.2 和 Primefaces - JBOSS 7.2 EAP
问题描述
原始帖子IBM AppScan
我们最近收到了来自 IBM AppScan DAST 的结果,其中一些结果没有多大意义。
Java反序列化代码执行
Parameter: **javax.faces.ViewState**
Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its
contents
The following changes were applied to the original request:
Set the value of the parameter 'javax.faces.ViewState' to XXX
POST /**/processitem.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
javax.faces.partial.ajax=true&javax.faces.source=j_idt22%3Aj_idt23&javax.faces.partial.execute=%40all&javax.faces.partial.render=unreadCountForm&j_idt22%3Aj_idt23=j_idt22%3Aj_idt23&j_idt22=j_idt22
&
当我检查日志时,我看到了会话超时(错误页面)
这将引发 ViewExpiredException 并且不确定 AppScan 为何认为它是一个漏洞。
寻找反馈和一些见解。
解决方案
推荐阅读
- docker - 无法连接到 docker
- javascript - Get element from object (array) by its class
- firebase - 如何在 React Native 中从 firebase 实时数据库中获取当前用户数据
- ruby-on-rails - 修复 'Gem::Requirement::BadRequirementError: Illformed requirements [">=1 <2"]' 错误
- react-native - 当我们的应用程序已经在后台由于诸如 SignIn with Google 之类的提示时如何处理应用程序状态更改
- python - 将 JSON 数据转换为 Python 数据框
- html - 绝对定位元素在其固定定位的父元素中被切断
- java - 多代理框架 SACI 未找到错误
- git - Git:推送本地回购无关历史错误时出错
- python - Rethinkdb:“连接已关闭”