From 57f7c8ddad8fe18af2cb706622894b00880a3b41 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Wed, 27 Nov 2024 15:29:33 +0100
Subject: [PATCH] ViewState Java
---
Insecure Deserialization/Java.md | 68 ++++++++++++++++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md
index 71e34af..95d37f8 100644
--- a/Insecure Deserialization/Java.md
+++ b/Insecure Deserialization/Java.md
@@ -11,6 +11,7 @@
* [Burp extensions using ysoserial](#burp-extensionsl)
* [Alternative Tooling](#alternative-tooling)
* [YAML Deserialization](#yaml-deserialization)
+* [ViewState](#viewstate)
* [References](#references)
@@ -146,13 +147,80 @@ SnakeYAML
```
+## ViewState
+
+In Java, ViewState refers to the mechanism used by frameworks like JavaServer Faces (JSF) to maintain the state of UI components between HTTP requests in web applications. There are 2 major implementations:
+
+* Oracle Mojarra (JSF reference implementation)
+* Apache MyFaces
+
+**Tools**:
+
+* [joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
+* [Synacktiv-contrib/inyourface](https://github.com/Synacktiv-contrib/inyourface) - InYourFace is a software used to patch unencrypted and unsigned JSF ViewStates.
+
+
+### Encoding
+
+| Encoding | Starts with |
+| ------------- | ----------- |
+| base64 | `rO0` |
+| base64 + gzip | `H4sIAAA` |
+
+
+### Storage
+
+The `javax.faces.STATE_SAVING_METHOD` is a configuration parameter in JavaServer Faces (JSF). It specifies how the framework should save the state of a component tree (the structure and data of UI components on a page) between HTTP requests.
+
+The storage method can also be inferred from the viewstate representation in the HTML body.
+
+* **Server side** storage: `value="-XXX:-XXXX"`
+* **Client side** storage: `base64 + gzip + Java Object`
+
+
+### Encryption
+
+By default MyFaces uses DES as encryption algorithm and HMAC-SHA1 to authenticate the ViewState. It is possible and recommended to configure more recent algorithms like AES and HMAC-SHA256.
+
+| Encryption Algorithm | HMAC |
+| -------------------- | ----------- |
+| DES ECB (default) | HMAC-SHA1 |
+
+Supported encryption methods are BlowFish, 3DES, AES and are defined by a context parameter.
+The value of these parameters and their secrets can be found inside these XML clauses.
+
+```xml
+org.apache.myfaces.MAC_ALGORITHM
+org.apache.myfaces.SECRET
+org.apache.myfaces.MAC_SECRET
+```
+
+Common secrets from the [documentation](https://cwiki.apache.org/confluence/display/MYFACES2/Secure+Your+Application).
+
+| Name | Value |
+| -------------------- | ---------------------------------- |
+| AES CBC/PKCS5Padding | `NzY1NDMyMTA3NjU0MzIxMA==` |
+| DES | `NzY1NDMyMTA=<` |
+| DESede | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` |
+| Blowfish | `NzY1NDMyMTA3NjU0MzIxMA` |
+| AES CBC | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` |
+| AES CBC IV | `NzY1NDMyMTA3NjU0MzIxMA==` |
+
+
+* **Encryption**: Data -> encrypt -> hmac_sha1_sign -> b64_encode -> url_encode -> ViewState
+* **Decryption**: ViewState -> url_decode -> b64_decode -> hmac_sha1_unsign -> decrypt -> Data
+
## References
- [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau - March 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
+- [Hack The Box - Arkham - 0xRick - August 10, 2019](https://0xrick.github.io/hack-the-box/arkham/)
- [How I found a $1500 worth Deserialization vulnerability - Ashish Kunwar - August 28, 2018](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
- [Jackson CVE-2019-12384: anatomy of a vulnerability class - Andrea Brancaleoni - July 22, 2019](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
+- [Java Deserialization in ViewState - Haboob Team - December 23, 2020](https://www.exploit-db.com/docs/48126)
- [Java-Deserialization-Cheat-Sheet - Aleksei Tiurin - May 23, 2023](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
+- [JSF ViewState upside-down - Renaud Dubourguais, Nicolas Collignon - March 15, 2016](https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf)
+- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
- [On Jackson CVEs: Don’t Panic — Here is what you need to know - cowtowncoder - December 22, 2017](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
- [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin (@artsploit) - June 29, 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)