Published on February 28th, 2017 📆 | 4756 Views ⚑0
Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications with JexBoss
Many Java applications that use the Java Server Faces (JSF) or Seam frameworks often use serialized java objects on the client side to persist the state of the View (e.g. javax.faces.ViewState) or in other form fields. When the client sends these serialized objects back to the server (for example, when submitting data in a POST form), by default they are deserialized without proper sanitization. This allows for deserialization attacks via multiple very frequent inputs (mainly in JSF and Seam applications).