Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss

VaLSYzEWgVE/default.jpg

JexBoss: https://github.com/joaomatosf/jexboss
Many Java applications that use the Java Server Faces (JSF) or Seam frameworks often use serialized java objects on the client side to persist the state of the View (e.g. javax.faces.ViewState) or in other form fields. When the client sends these serialized objects back to the server (for example, when submitting data in a POST form), by default they are deserialized without proper sanitization. This allows for deserialization attacks via multiple very frequent inputs (mainly in JSF and Seam applications).

VaLSYzEWgVE/default.jpg
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss Reviewed by Unknown on April 23, 2018 Rating: 5