$JSF ViewState client side storage

Description

JavaServer Faces (JSF) is a Java specification for building component-based user interfaces for web applications. There are two ViewState storage methods: server side and client side. By default, most implementations are configured to use server side storage. However, your application is configured to store ViewState on the client side. For security reasons, server side storage is highly recommended as client side storage can cause a lot of security issues. If you really need to use client side storage make sure the ViewState is encrypted and an integrity check is performed on the ViewState value. Consult web references for more information about the dangers of JSF ViewState client side storage.

Remediation

If possible, it's recommended to change the ViewState saving method to client side. To do so, add the following lines of code to your web.xml file:

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>server</param-value>
</context-param>

References
Severity
Classification
Tags
  • Abuse Of Functionality   Configuration