• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

OWASP security support for JSF2.2 ?

 
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
is JSF2.2 by default owasp supported ?

if not , which security need customize for JSF based webapp ?

OWASP
http://www.taurean.net/docs/websecuritythreats.pdf

A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not sure what you mean by "supported." That list of ten concepts applies to all languages and libraries.

There are some OWASP libraries that are language specific such as CSRF Guard. They aren't library specific though as they mostly work with filters.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you're asking whether using JSF means that you're protected from these 10 problems, then the answer is no - no framework by itself can protect you from all those attacks. You need to ensure that the way you're using the framework(s), as well as all the other code you write, is safe with respect to the attacks you want to guard against.
 
Samdani masum
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have found several way but need to know extra care for owasp security with JSF that implement it by my self in writing code .

which owasp security JSF2.2 by default not supported ? that means need to implement in code .



Exp : CSRF owasp security by default JSF2.2 supported no need extra care for this purpose .



Any one who already research on OWASP with JSF2 give me some points how to implement owasp security in JSF2.2
 
Saloon Keeper
Posts: 27752
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As a general rule, JSF webapps have the same security considerations as non-JSF apps, except for one thing.

In JSF, the URL often lags the page, since unlike most web application frameworks, the JSF URL is more of a "handle" to the session than an absolute resource locator.

This has consequences, since if you're using the J2EE standard container security or something that mimics it, the container security screens are based on the incoming URL, not on the resource actually being accessed.

The cure for that is to flag all security-critical navigation targets with the "redirect" characteristic. That will force a redirect to an in-sync URL so that the URL security rules and target will match up. It's a bit of additional overhead, so insecure pages would be better off not using that option, but it is essential for secured views to operate properly.
 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Samdani masum wrote:Exp : CSRF owasp security by default JSF2.2 supported no need extra care for this purpose .


I would phrase this as LESS extra care is needed. Even if the framework automatically protects all POST requests, you have to make sure that you use POST correctly and don't accept GET as alternatives. The framework might do the later (not sure), but it can't do the former. The coders need to pay attention to that.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic