Reputation: 21
Does JSF1.2 has buit in CSRF protection?
I have tested a JSF application with the CSRFtester tool, and the tool didn't report any CSRF problems. But I had read in the "OWASP_Top_10_2007_for_JEE.pdf", that all Java EE web application frameworks are vulnerable to CSRF and also some says we need to create a secret key for each session and append it to the url. By doing this way we can secure our JSF application from the CSRF attack.This makes me confused. I cannot find any clear documentation. IS JSF is vulnerable to CSRF attack? What was the right way to protect a JSF application from CSRF attacks? Please help me out!!
Thanks in Advance!!
Upvotes: 2
Views: 2996
Answers (1)
Reputation: 31
Yes, JSF is vulnerable to CSRF. I implemented CSRF prevention token for my JSF 1.2 application just a few days ago.
Here's what you could use:
Tomcat CSRF Prevention Filter (find the source)
Another wonderful solution, can be easily implemented on JSF 1.2
I used the combination of two. Works well.
Upvotes: 2
Related Questions
- Should <protected-views> be used for JSF 2.2 CSRF protection?
- How to enable CSRF protection in JSF-Spring integrated application
- CSRF, XSS and SQL Injection attack prevention in JSF
- How to configure CSRF security in JSF
- How JSF 2.0 prevents CSRF
- Prevent CSRF in JSF2 with client side state saving
- Does JSF support form based security
- How to attack CSRF to JSF application
- Security (framework?) for JSF 2.0
- JSF 2.1 CSRF safe?