Session Riding Vulnerability Demo

This page is an entry point to demonstrate how the various state saving options in JSF are vulnerable to session riding. You are to assume that this page resides on an arbitrary website (if you don't believe me, just copy it to a local file or your website and use it from there). Of the scenarios below, the most difficult to ride is regular server-side state saving. It only works once per user session, though there are still many such chances. You will see that the remaining three scenarios are all equally vulnerable. The purpose of this demo is to raise awareness for the problem and be a test page for a solution.

Ride Session (server-side state saving)

This demo works when using server-side state saving. To demonstrate this vulnerability, perform the following steps:

(javax.faces.ViewState = j_id2) the number after j_id is the # of views in the user's session + 1

Ride Session (server-side state saving + facelets.BUILD_BEFORE_RESTORE)

This demo works when using server-side state saving and the value of the facelets.BUILD_BEFORE_RESTORE context-param is true. To demonstrate this vulnerability, perform the following steps:

(javax.faces.ViewState = )

Ride Session (client-side state saving)

This demo works when using client-side state saving. To demonstrate this vulnerability, perform the following steps:

(javax.faces.ViewState = serialized component tree)

Ride Session (client-side state saving with encrypted view)

This demo works when using client-side state saving with an encrypted view. To demonstrate this vulnerability, perform the following steps:

(javax.faces.ViewState = encrypted serialized component tree)