How JSF 2.0 prevents CSRF

Question

I am researching stuff I hear regularly that when doing a webapp in JSF 2.0 you are already protected from crossite - scripting and - request forgery. The following excerpt from a SO post confirms this:

In JSF 2.0 this has been improved by using a long and strong autogenerated value instead of a rather predictable sequence value and thus making it a robust CSRF prevention.

Can someone provide some more detail on this? How does this autogenerated value prevent CSRF? Thanks!

Answer 1

One thing to remember is that the CSRF-protection in JSF 2.0 is implicit and is only valid for POST requests.

In JSF 2.2 there will be more explicit support for this. I briefly explained this here: http://arjan-tijms.omnifaces.org/p/jsf-22.html

Answer 2

How does this autogenerated value prevent CSRF ?

Because it cannot be guessed. So the attacker cannot hardcode it in a hidden field in a form of the attack website (unless the target site has a XSS hole and thus the value can simply be obtained directly by XSS means). If the value is not valid for JSF, then the form submit from the attack website will simply not be processed but instead generate a ViewExpiredException. Please note that the attacker would still need to get the session ID so that it can be passed back through jsessionid URL attribute, so the originally "weak" CSRF protection would still require some XSS hole to obtain the session ID.

After all, I have the impression that you do not understand at all what CSRF is; the answer is rather self-explaining if you understand what CSRF is. In that case, please check the following question: Am I under risk of CSRF attacks in a POST form that doesn't require the user to be logged in?