From 57f7c8ddad8fe18af2cb706622894b00880a3b41 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Wed, 27 Nov 2024 15:29:33 +0100 Subject: [PATCH] ViewState Java --- Insecure Deserialization/Java.md | 68 ++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/Insecure Deserialization/Java.md b/Insecure Deserialization/Java.md index 71e34af..95d37f8 100644 --- a/Insecure Deserialization/Java.md +++ b/Insecure Deserialization/Java.md @@ -11,6 +11,7 @@ * [Burp extensions using ysoserial](#burp-extensionsl) * [Alternative Tooling](#alternative-tooling) * [YAML Deserialization](#yaml-deserialization) +* [ViewState](#viewstate) * [References](#references) @@ -146,13 +147,80 @@ SnakeYAML ``` +## ViewState + +In Java, ViewState refers to the mechanism used by frameworks like JavaServer Faces (JSF) to maintain the state of UI components between HTTP requests in web applications. There are 2 major implementations: + +* Oracle Mojarra (JSF reference implementation) +* Apache MyFaces + +**Tools**: + +* [joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool +* [Synacktiv-contrib/inyourface](https://github.com/Synacktiv-contrib/inyourface) - InYourFace is a software used to patch unencrypted and unsigned JSF ViewStates. + + +### Encoding + +| Encoding | Starts with | +| ------------- | ----------- | +| base64 | `rO0` | +| base64 + gzip | `H4sIAAA` | + + +### Storage + +The `javax.faces.STATE_SAVING_METHOD` is a configuration parameter in JavaServer Faces (JSF). It specifies how the framework should save the state of a component tree (the structure and data of UI components on a page) between HTTP requests. + +The storage method can also be inferred from the viewstate representation in the HTML body. + +* **Server side** storage: `value="-XXX:-XXXX"` +* **Client side** storage: `base64 + gzip + Java Object` + + +### Encryption + +By default MyFaces uses DES as encryption algorithm and HMAC-SHA1 to authenticate the ViewState. It is possible and recommended to configure more recent algorithms like AES and HMAC-SHA256. + +| Encryption Algorithm | HMAC | +| -------------------- | ----------- | +| DES ECB (default) | HMAC-SHA1 | + +Supported encryption methods are BlowFish, 3DES, AES and are defined by a context parameter. +The value of these parameters and their secrets can be found inside these XML clauses. + +```xml +org.apache.myfaces.MAC_ALGORITHM +org.apache.myfaces.SECRET +org.apache.myfaces.MAC_SECRET +``` + +Common secrets from the [documentation](https://cwiki.apache.org/confluence/display/MYFACES2/Secure+Your+Application). + +| Name | Value | +| -------------------- | ---------------------------------- | +| AES CBC/PKCS5Padding | `NzY1NDMyMTA3NjU0MzIxMA==` | +| DES | `NzY1NDMyMTA=<` | +| DESede | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` | +| Blowfish | `NzY1NDMyMTA3NjU0MzIxMA` | +| AES CBC | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` | +| AES CBC IV | `NzY1NDMyMTA3NjU0MzIxMA==` | + + +* **Encryption**: Data -> encrypt -> hmac_sha1_sign -> b64_encode -> url_encode -> ViewState +* **Decryption**: ViewState -> url_decode -> b64_decode -> hmac_sha1_unsign -> decrypt -> Data + ## References - [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau - March 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/) +- [Hack The Box - Arkham - 0xRick - August 10, 2019](https://0xrick.github.io/hack-the-box/arkham/) - [How I found a $1500 worth Deserialization vulnerability - Ashish Kunwar - August 28, 2018](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a) - [Jackson CVE-2019-12384: anatomy of a vulnerability class - Andrea Brancaleoni - July 22, 2019](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html) +- [Java Deserialization in ViewState - Haboob Team - December 23, 2020](https://www.exploit-db.com/docs/48126) - [Java-Deserialization-Cheat-Sheet - Aleksei Tiurin - May 23, 2023](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md) +- [JSF ViewState upside-down - Renaud Dubourguais, Nicolas Collignon - March 15, 2016](https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf) +- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html) - [On Jackson CVEs: Don’t Panic — Here is what you need to know - cowtowncoder - December 22, 2017](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96) - [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin (@artsploit) - June 29, 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)