CSRF false-positive for JSF web application
Hello, I cannot understand why Arachni gives a false-positive reaction on CSRF check.
I have a page with only one form on it (I've simplified the application as much as possible still getting the false-positive reaction). The form contains 3 inputs, and the last input is an anti-CSRF token generated by the server. This token gets updated with every non-AJAX request. But is not updated on AJAX requests. If somebody submit this form with wrong value of javax.faces.ViewState
, the server answers with the 500 response code.
This looks like we're protected here? But somehow Arachni gives the false-positive on it. Arachni changes the loginForm:userName
parameter, and this in turn sends the AJAX request to the server:
the form
<form id="loginForm" name="loginForm" method="post" action="/application/login.jsf" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="loginForm" value="loginForm">
<input id="loginForm:username" name="loginForm:username" type="text" autocomplete="off">
<input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="-6276072813241391186:-8452291713507058582" autocomplete="off">
</form>
Request
POST /application/login.jsf HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.5.1
Accept: application/xml, text/xml, /; q=0.01
Referer: http://10.233.23.118:18080/application/login.jsf
Origin: http://10.233.23.118:18080
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 310
Cookie: JSESSIONID=rH_cJX0V2ZQLodTIbEmPDRwTMjjdQos879dVSlN1.spbws1215
Accept-Language: ru-RU,en,*
Host: 10.233.23.118:18080
javax.faces.partial.ajax=true&javax.faces.source=loginForm%3Ausername&
javax.faces.partial.execute=loginForm%3Ausername&
javax.faces.partial.render=loginForm%3Ausername&
javax.faces.behavior.event=valueChange&
javax.faces.partial.event=change&loginForm%3Ausername=arachni_name&
javax.faces.ViewState=-6276072813241391186%3A-8452291713507058582
Response
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store,must-revalidate
Cache-Control: no-cache
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
Date: Sat, 20 Jun 2020 00:12:17 GMT
Connection: keep-alive
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8
<?xml version='1.0' encoding='UTF-8'?>
<partial-response>
<changes>
<update id="loginForm:username">
<![CDATA[<input id="loginForm:username" name="loginForm:username" type="text" value="arachni_name" />
<update id="javax.faces.ViewState">
<![CDATA[-6276072813241391186:-8452291713507058582]]>
</update>
</changes>
</partial-response>
I can provide the Arachni report or the demo application if needed and will highly appreciate any help on this topic. I've spent few days trying to find out the reason. There is no way I can convince the QA team just saying that this is a false-positive.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac