CSRF false-positive for JSF web application

ivan.ivanov's Avatar

ivan.ivanov

19 Jun, 2020 11:42 PM

Hello, I cannot understand why Arachni gives a false-positive reaction on CSRF check.

I have a page with only one form on it (I've simplified the application as much as possible still getting the false-positive reaction). The form contains 3 inputs, and the last input is an anti-CSRF token generated by the server. This token gets updated with every non-AJAX request. But is not updated on AJAX requests. If somebody submit this form with wrong value of javax.faces.ViewState, the server answers with the 500 response code.
This looks like we're protected here? But somehow Arachni gives the false-positive on it. Arachni changes the loginForm:userName parameter, and this in turn sends the AJAX request to the server:

the form

<form id="loginForm" name="loginForm" method="post" action="/application/login.jsf" enctype="application/x-www-form-urlencoded">
   <input type="hidden" name="loginForm" value="loginForm">
   <input id="loginForm:username" name="loginForm:username" type="text" autocomplete="off">
   <input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="-6276072813241391186:-8452291713507058582" autocomplete="off">
</form>

Request

POST /application/login.jsf HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.5.1
Accept: application/xml, text/xml, /; q=0.01
Referer: http://10.233.23.118:18080/application/login.jsf
Origin: http://10.233.23.118:18080
X-Requested-With: XMLHttpRequest
Faces-Request: partial/ajax
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 310
Cookie: JSESSIONID=rH_cJX0V2ZQLodTIbEmPDRwTMjjdQos879dVSlN1.spbws1215
Accept-Language: ru-RU,en,*
Host: 10.233.23.118:18080


javax.faces.partial.ajax=true&javax.faces.source=loginForm%3Ausername& javax.faces.partial.execute=loginForm%3Ausername& javax.faces.partial.render=loginForm%3Ausername& javax.faces.behavior.event=valueChange& javax.faces.partial.event=change&loginForm%3Ausername=arachni_name& javax.faces.ViewState=-6276072813241391186%3A-8452291713507058582
Response
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache,no-store,must-revalidate
Cache-Control: no-cache
Pragma: no-cache
X-FRAME-OPTIONS: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
Date: Sat, 20 Jun 2020 00:12:17 GMT
Connection: keep-alive
Transfer-Encoding: chunked
Content-Type: text/xml; charset=UTF-8


<?xml version='1.0' encoding='UTF-8'?> <partial-response> <changes> <update id="loginForm:username"> <![CDATA[<input id="loginForm:username" name="loginForm:username" type="text" value="arachni_name" /> <update id="javax.faces.ViewState"> <![CDATA[-6276072813241391186:-8452291713507058582]]> </update> </changes> </partial-response>

I can provide the Arachni report or the demo application if needed and will highly appreciate any help on this topic. I've spent few days trying to find out the reason. There is no way I can convince the QA team just saying that this is a false-positive.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac