Is Ajax4JSF subject to the JavaScript Hijacking vulnerabilit

tarapeltier Apr 23, 2007 12:24 PM

This AJAX vulnerability (via JavaScript Hijbacking) was published a few weeks ago by Fortify Software. They evaluated 12 AJAX toolkits, and found that 11 of the 12 are vulnerable. AJAX4JSF was not one of the ones evaluated.
http://www.fortifysoftware.com/news-events/releases/2007/2007-04-02.jsp

I've googled to try to find out if anyone has tested AJAX4JSF for this vulnerability, but haven't found anything.

There are two main defenses - 1) use POST requests and 2) prevent direct execution of the response. Based on my investigation, AJAX4JSF does use POST requests, so #1 is covered. However, I'm not sure about #2. I've tried digging into the JavaScript libraries, but I haven't found anything so far.

Does anyone have any further news on whether AJAX4JSF is vulnerable to this?

Regards,
Tara Peltier

1. Re: Is Ajax4JSF subject to the JavaScript Hijacking vulnerab

sergeysmirnov Apr 23, 2007 1:21 PM (in response to tarapeltier)

I am not surprised that Ajax toolkits are vulnerable, because most of them are Javascript oriented frameworks.
However, I'd like to pay your attention that Ajax4jsf is NOT a javascript framework. It uses javascript only for transport purpose.
All requests come to the server must have a prior registration and parameters are encrypted.
Actions