Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss
JexBoss: https://github.com/joaomatosf/jexboss
Many Java applications that use the Java Server Faces (JSF) or Seam frameworks often use serialized java objects on the client side to persist the state of the View (e.g. javax.faces.ViewState) or in other form fields. When the client sends these serialized objects back to the server (for example, when submitting data in a POST form), by default they are deserialized without proper sanitization. This allows for deserialization attacks via multiple very frequent inputs (mainly in JSF and Seam applications).
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss
Reviewed by Anonymous
on
April 23, 2018
Rating: