ViewState Java

Author: swisskyrepo

Diff for: Insecure Deserialization/Java.md

@@ -11,6 +11,7 @@
     * [Burp extensions using ysoserial](#burp-extensionsl)
     * [Alternative Tooling](#alternative-tooling)
 * [YAML Deserialization](#yaml-deserialization)
+* [ViewState](#viewstate)
 * [References](#references)
 
 
@@ -146,13 +147,80 @@ SnakeYAML
 ```
 
 
+## ViewState
+
+In Java, ViewState refers to the mechanism used by frameworks like JavaServer Faces (JSF) to maintain the state of UI components between HTTP requests in web applications. There are 2 major implementations:
+
+* Oracle Mojarra (JSF reference implementation)
+* Apache MyFaces
+
+**Tools**:
+
+* [joaomatosf/jexboss](https://github.com/joaomatosf/jexboss) - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool
+* [Synacktiv-contrib/inyourface](https://github.com/Synacktiv-contrib/inyourface) - InYourFace is a software used to patch unencrypted and unsigned JSF ViewStates.
+
+
+### Encoding
+
+| Encoding      | Starts with |
+| ------------- | ----------- |
+| base64        | `rO0`       |
+| base64 + gzip | `H4sIAAA`   |
+
+
+### Storage
+
+The `javax.faces.STATE_SAVING_METHOD` is a configuration parameter in JavaServer Faces (JSF). It specifies how the framework should save the state of a component tree (the structure and data of UI components on a page) between HTTP requests.
+
+The storage method can also be inferred from the viewstate representation in the HTML body.
+
+* **Server side** storage: `value="-XXX:-XXXX"`
+* **Client side** storage: `base64 + gzip + Java Object`
+
+
+### Encryption
+
+By default MyFaces uses DES as encryption algorithm and HMAC-SHA1 to authenticate the ViewState. It is possible and recommended to configure more recent algorithms like AES and HMAC-SHA256.
+
+| Encryption Algorithm | HMAC        |
+| -------------------- | ----------- |
+| DES ECB (default)    | HMAC-SHA1   |
+
+Supported encryption methods are BlowFish, 3DES, AES and are defined by a context parameter.
+The value of these parameters and their secrets can be found inside these XML clauses.
+
+```xml
+<param-name>org.apache.myfaces.MAC_ALGORITHM</param-name>   
+<param-name>org.apache.myfaces.SECRET</param-name>   
+<param-name>org.apache.myfaces.MAC_SECRET</param-name>
+```
+
+Common secrets from the [documentation](https://cwiki.apache.org/confluence/display/MYFACES2/Secure+Your+Application).
+
+| Name                 | Value                              |
+| -------------------- | ---------------------------------- |
+| AES CBC/PKCS5Padding | `NzY1NDMyMTA3NjU0MzIxMA==`         |
+| DES                  | `NzY1NDMyMTA=<`                    |
+| DESede               | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` |
+| Blowfish             | `NzY1NDMyMTA3NjU0MzIxMA`           |
+| AES CBC              | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` |
+| AES CBC IV           | `NzY1NDMyMTA3NjU0MzIxMA==`         |
+
+
+* **Encryption**: Data -> encrypt -> hmac_sha1_sign -> b64_encode -> url_encode -> ViewState
+* **Decryption**: ViewState -> url_decode -> b64_decode -> hmac_sha1_unsign -> decrypt -> Data
+
 
 ## References
 
 - [Detecting deserialization bugs with DNS exfiltration - Philippe Arteau - March 22, 2017](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
+- [Hack The Box - Arkham - 0xRick - August 10, 2019](https://0xrick.github.io/hack-the-box/arkham/)
 - [How I found a $1500 worth Deserialization vulnerability - Ashish Kunwar - August 28, 2018](https://medium.com/@D0rkerDevil/how-i-found-a-1500-worth-deserialization-vulnerability-9ce753416e0a)
 - [Jackson CVE-2019-12384: anatomy of a vulnerability class - Andrea Brancaleoni - July 22, 2019](https://blog.doyensec.com/2019/07/22/jackson-gadgets.html)
+- [Java Deserialization in ViewState - Haboob Team - December 23, 2020](https://www.exploit-db.com/docs/48126)
 - [Java-Deserialization-Cheat-Sheet - Aleksei Tiurin - May 23, 2023](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
+- [JSF ViewState upside-down - Renaud Dubourguais, Nicolas Collignon - March 15, 2016](https://www.synacktiv.com/ressources/JSF_ViewState_InYourFace.pdf)
+- [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 - [Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities - Peter Stöckli - August 14, 2017](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 - [On Jackson CVEs: Don’t Panic — Here is what you need to know - cowtowncoder - December 22, 2017](https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062#da96)
 - [Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) - Michael Stepankin (@artsploit) - June 29, 2021](https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464)