1 Reply Latest reply on Apr 23, 2007 1:21 PM by Sergey Smirnov

    Is Ajax4JSF subject to the JavaScript Hijacking vulnerabilit

    Tara Peltier Newbie

      This AJAX vulnerability (via JavaScript Hijbacking) was published a few weeks ago by Fortify Software. They evaluated 12 AJAX toolkits, and found that 11 of the 12 are vulnerable. AJAX4JSF was not one of the ones evaluated.
      http://www.fortifysoftware.com/news-events/releases/2007/2007-04-02.jsp

      I've googled to try to find out if anyone has tested AJAX4JSF for this vulnerability, but haven't found anything.

      There are two main defenses - 1) use POST requests and 2) prevent direct execution of the response. Based on my investigation, AJAX4JSF does use POST requests, so #1 is covered. However, I'm not sure about #2. I've tried digging into the JavaScript libraries, but I haven't found anything so far.

      Does anyone have any further news on whether AJAX4JSF is vulnerable to this?

      Regards,
      Tara Peltier