1 Reply Latest reply on Apr 23, 2007 1:21 PM by Sergey Smirnov

    Is Ajax4JSF subject to the JavaScript Hijacking vulnerabilit

    Tara Peltier Newbie

      This AJAX vulnerability (via JavaScript Hijbacking) was published a few weeks ago by Fortify Software. They evaluated 12 AJAX toolkits, and found that 11 of the 12 are vulnerable. AJAX4JSF was not one of the ones evaluated.

      I've googled to try to find out if anyone has tested AJAX4JSF for this vulnerability, but haven't found anything.

      There are two main defenses - 1) use POST requests and 2) prevent direct execution of the response. Based on my investigation, AJAX4JSF does use POST requests, so #1 is covered. However, I'm not sure about #2. I've tried digging into the JavaScript libraries, but I haven't found anything so far.

      Does anyone have any further news on whether AJAX4JSF is vulnerable to this?

      Tara Peltier