问题
Orginal Post IBM AppScan
We recently received result from IBM AppScan DAST and some of the result don't make much senses.
Java Deserialization Code Execution
Parameter: **javax.faces.ViewState**
Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its
contents
The following changes were applied to the original request:
Set the value of the parameter 'javax.faces.ViewState' to XXX
POST /**/processitem.xhtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
Connection: keep-alive
Faces-Request: partial/ajax
X-Requested-With: XMLHttpRequest
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
javax.faces.partial.ajax=true&javax.faces.source=j_idt22%3Aj_idt23&javax.faces.partial.execute=%40all&javax.faces.partial.render=unreadCountForm&j_idt22%3Aj_idt23=j_idt22%3Aj_idt23&j_idt22=j_idt22
&
When i check the logs i seen Session Timeout (an error page)
This would throw a ViewExpiredException and not sure why AppScan believes it is a vulnerability.
Looking for feedback and some insight.
来源:https://stackoverflow.com/questions/61705655/ibm-appscan-java-deserialization-code-execution-jsf-2-2-primefaces-jboss