Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

OWASP security support for JSF2.2 ?  RSS feed

 
Samdani masum
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
is JSF2.2 by default owasp supported ?

if not , which security need customize for JSF based webapp ?

OWASP
http://www.taurean.net/docs/websecuritythreats.pdf

A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 37180
515
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure what you mean by "supported." That list of ten concepts applies to all languages and libraries.

There are some OWASP libraries that are language specific such as CSRF Guard. They aren't library specific though as they mostly work with filters.
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you're asking whether using JSF means that you're protected from these 10 problems, then the answer is no - no framework by itself can protect you from all those attacks. You need to ensure that the way you're using the framework(s), as well as all the other code you write, is safe with respect to the attacks you want to guard against.
 
Samdani masum
Ranch Hand
Posts: 38
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have found several way but need to know extra care for owasp security with JSF that implement it by my self in writing code .

which owasp security JSF2.2 by default not supported ? that means need to implement in code .



Exp : CSRF owasp security by default JSF2.2 supported no need extra care for this purpose .



Any one who already research on OWASP with JSF2 give me some points how to implement owasp security in JSF2.2
 
Tim Holloway
Bartender
Posts: 18661
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As a general rule, JSF webapps have the same security considerations as non-JSF apps, except for one thing.

In JSF, the URL often lags the page, since unlike most web application frameworks, the JSF URL is more of a "handle" to the session than an absolute resource locator.

This has consequences, since if you're using the J2EE standard container security or something that mimics it, the container security screens are based on the incoming URL, not on the resource actually being accessed.

The cure for that is to flag all security-critical navigation targets with the "redirect" characteristic. That will force a redirect to an in-sync URL so that the URL security rules and target will match up. It's a bit of additional overhead, so insecure pages would be better off not using that option, but it is essential for secured views to operate properly.
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 37180
515
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Samdani masum wrote:Exp : CSRF owasp security by default JSF2.2 supported no need extra care for this purpose .

I would phrase this as LESS extra care is needed. Even if the framework automatically protects all POST requests, you have to make sure that you use POST correctly and don't accept GET as alternatives. The framework might do the later (not sure), but it can't do the former. The coders need to pay attention to that.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!