Securing web-applications with JSF2 is lot more easier. Java EE provides a lot of security features.Lets examine these features under the context of OWASP top Ten actually try to hack the application and analyze the results.
XSS or CrossSite Scripting : Protection against XSS is inbuilt and available by default. I have created sample application using Netbeans. It has a kool code generator for jsf2 crud operations.
Jsf code to display a field. <h:outputText value="#{item.description}" />
Lets inject XSS vector from http://ha.ckers.org/xss.html .
Result after injecting javascript into description fields
Note that the javascript is displayed in the table as is. It is not executed. Another screen shot with IE
I got similar result with Chrome.
Modified the jsf not to handle XSS <h:outputText value="#{item.description}" escape="false"/>
Popup in FireFox
Hacked Result in FF
Hacked Result in IE
Hacked Result in Chrome, Interestingly Chrome was not able to render the page.
Conclusion jsf provides XSS protection by Default. I soon present results of more attacks.
1 comment:
Hi, very good findings on JSF2. Appreciate your effort. :)
Post a Comment