1

Orginal Post IBM AppScan

We recently received result from IBM AppScan DAST and some of the result don't make much senses.

Java Deserialization Code Execution

Parameter: **javax.faces.ViewState**
Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its
contents

The following changes were applied to the original request:
Set the value of the parameter 'javax.faces.ViewState' to XXX



POST /**/processitem.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
javax.faces.partial.ajax=true&javax.faces.source=j_idt22%3Aj_idt23&javax.faces.partial.execute=%40all&javax.faces.partial.render=unreadCountForm&j_idt22%3Aj_idt23=j_idt22%3Aj_idt23&j_idt22=j_idt22
&

When i check the logs i seen Session Timeout (an error page)

This would throw a ViewExpiredException and not sure why AppScan believes it is a vulnerability.

Looking for feedback and some insight.

Ravi
  • 391
  • 2
  • 18
  • 3
    Most probably the request was an ajax request and in case of exceptions it won't return HTTP status code 500 but 200 and hence the tool got confused. – BalusC May 10 '20 at 10:18
  • 100% agree we have had our apps professionally penetration tested by 3rd party firms and whenever they touch the ViewState they can't do anything so they give us high marks for having CRSF token in place. Once again this is nonsense report from an automated tool. – Melloware May 10 '20 at 12:33
  • @BalusC i have updated and it is indeed the ajax request. – Ravi May 10 '20 at 14:23
  • 2
    Then that's definitely a false positive. There are workarounds but these will end up in worse experience for real users. – BalusC May 10 '20 at 14:30
  • @BalusC: looks like this justifies another valid and simple answer by you ;-) – Kukeltje May 10 '20 at 15:27

0 Answers0