Defeating XSS and XSRF using JSF Based Frameworks

Presented at AppSec USA 2013, Nov. 21, 2013, 9 a.m. (50 minutes).

During several recent code review engagements, I have discovered that developers sometimes gain a feeling of comfort when they read that frameworks protect them from certain attacks. This sometimes leads to the assumption that if you use this framework, you are protected. This presentation will focus on Frameworks built upon JSF API component of JEE and two specific vulnerabilities which frameworks commonly advertise built-in mitigation; cross site scripting and cross site request forgery.  It is very common for a framework to provide ways to prevent XSS and XSRF so to begin the session, I will take a few minutes to describe at a high level what these frameworks are and what we assume their capabilities are regarding these two vulnerabilities. During the course of this presentation, I will demonstrate what happens when these frameworks are used out-of-the-box by exploiting a sample application.  Since this code is open source, we will look at the framework code to confirm or deny that they have automatically protected you against these attacks.  I will then proceed to give you a couple of options which will close these gaps and secure the application from these attacks.  You should leave this presentation with an awareness of what these frameworks are capable of and how to take advantage of their features to help secure the application.

Presenters:

  • Stephen Wolf
    I have spent the last 6 years of my development career evangelizing application security and am currently working as an application security engineer in the San Francisco bay area. I've been a developer for over 20 years with my hands into everything from embedded systems and assembly to object oriented languages like .NET and Java. I've worked in a variety of industries such as aerospace, healthcare, manufacturing, insurance, and finance. I've held almost every job position in an IT organization and have managed teams as large as 60 people.

Links:

Similar Presentations: