Defeating XSS and XSRF using JSF Based Frameworks presented at AppSec USA 2013

by Stephen Wolf,

Summary : During several recent code review engagements, I have discovered that developers sometimes gain a feeling of comfort when they read that frameworks protect them from certain attacks. This sometimes leads to the assumption that if you use this framework, you are protected.
This presentation will focus on Frameworks built upon JSF API component of JEE and two specific vulnerabilities which frameworks commonly advertise built-in mitigation; cross site scripting and cross site request forgery.
It is very common for a framework to provide ways to prevent XSS and XSRF so to begin the session, I will take a few minutes to describe at a high level what these frameworks are and what we assume their capabilities are regarding these two vulnerabilities.
During the course of this presentation, I will demonstrate what happens when these frameworks are used out-of-the-box by exploiting a sample application. Since this code is open source, we will look at the framework code to confirm or deny that they have automatically protected you against these attacks. I will then proceed to give you a couple of options which will close these gaps and secure the application from these attacks.
You should leave this presentation with an awareness of what these frameworks are capable of and how to take advantage of their features to help secure the application.