CSRF, XSS and SQL Injection attack prevention in JSF

by

XSS

JSF is designed to have builtin XSS prevention. You can safely redisplay all user-controlled input (request headers (including cookies!), request parameters (also the ones which are saved in DB!) and request bodies (uploaded text files, etc)) using any JSF component.

<h:outputText value="#{user.name}" />
<h:outputText value="#{user.name}" escape="true" />
<h:inputText value="#{user.name}" />
etc...

Note that when you’re using JSF 2.0 on Facelets, then you can use EL in template text like so:

<p>Welcome, #{user.name}</p>

This will also implicitly be escaped. You don’t necessarily need <h:outputText> here.

Only when you’re explicitly unescaping user-controlled input using escape="false":

<h:outputText value="#{user.name}" escape="false" />

then you’ve a potential XSS attack hole!

If you’d like to redisplay user-controlled input as HTML wherein you would like to allow only a specific subset of HTML tags like <b>, <i>, <u>, etc, then you need to sanitize the input by a whitelist. The HTML parser Jsoup is very helpful in this.

itemLabelEscaped bug in Mojarra < 2.2.6

Older Mojarra versions before 2.2.6 had the bug wherein <f:selectItems itemLabel> incorrectly renders the label unescaped when provided a List<T> via <f:selectItems var> instead of List<SelectItem> or SelectItem[] as value (issue 3143). In other words, if you’re redisplaying user-controlled data as item labels via a List<T>, then you’ve a potential XSS hole. If upgrading to at least Mojarra 2.2.6 is not an option, then you need to explicitly set itemLabelEscaped attribute to true to prevent that.

<f:selectItems value="#{bean.entities}" var="entity" itemValue="#{entity}"
    itemLabel="#{entity.someUserControlledProperty}" itemLabelEscaped="true" />

CSRF

JSF 2.x has already builtin CSRF prevention in flavor of javax.faces.ViewState hidden field in the form when using server side state saving. In JSF 1.x this value was namely pretty weak and too easy predictable (it was actually never intended as CSRF prevention). In JSF 2.0 this has been improved by using a long and strong autogenerated value instead of a rather predictable sequence value and thus making it a robust CSRF prevention.

In JSF 2.2 this is even be further improved by making it a required part of the JSF specification, along with a configurable AES key to encrypt the client side state, in case client side state saving is enabled. See also JSF spec issue 869 and Reusing ViewState value in other session (CSRF). New in JSF 2.2 is CSRF protection on GET requests by <protected-views>.

Only when you’re using stateless views as in <f:view transient="true">, or there’s somewhere a XSS attack hole in the application, then you’ve a potential CSRF attack hole.

SQL injection

This is not JSF’s responsibility. How to prevent this depends on the persistence API you’re using (raw JDBC, modern JPA or good ol’ Hibernate), but all boils down that you should never concatenate user-controlled input into SQL strings like so

String sql = "SELECT * FROM user WHERE username="" + username + "" AND password = md5(" + password + ")";
String jpql = "SELECT u FROM User u WHERE u.username="" + username + "" AND u.password = md5('" + password + "')";

Imagine what would happen if the enduser chooses the following name:

x'; DROP TABLE user; --

You should always use parameterized queries where applicable.

String sql = "SELECT * FROM user WHERE username = ? AND password = md5(?)";
String jpql = "SELECT u FROM User u WHERE u.username = ?1 AND u.password = md5(?2)";

In plain JDBC you need to use PreparedStatement to fill the parameter values and in JPA (and Hibernate), the Query object offers setters for this as well.

More Related Contents:

  1. JSF returns blank/unparsed page with plain/raw XHTML/XML/EL source instead of rendered HTML output
  2. How does the ‘binding’ attribute work in JSF? When and how should it be used?
  3. Backing beans (@ManagedBean) or CDI Beans (@Named)?
  4. Uploaded image only available after refreshing the page
  5. How do I process GET query string URL parameters in backing bean on page load?
  6. JSTL c:if doesn’t work inside a JSF h:dataTable
  7. ViewParam vs @ManagedProperty(value = “#{param.id}”)
  8. Is it suggested to use h:outputText for everything?
  9. Defining and reusing an EL variable in JSF page
  10. Accessing injected dependency in managed bean constructor causes NullPointerException
  11. File upload doesn’t work with AJAX in PrimeFaces 4.0/JSF 2.2.x – javax.servlet.ServletException: The request content-type is not a multipart/form-data
  12. Maven and JSF webapp structure, where exactly to put JSF resources
  13. Hit a bean method and redirect on a GET request
  14. Find component by ID in JSF
  15. How and when is a @ViewScoped bean destroyed in JSF?
  16. How to bind dynamic content using ?
  17. Difference between rendered and visible attributes of
  18. How to add placeholder attribute to JSF input component?
  19. How to create a composite component for a datatable column?
  20. Unable to find matching navigation case with from-view-id ‘/pages/index.xhtml’
  21. How do I force an application-scoped bean to instantiate at application startup?
  22. Open new window by POST using h:commandButton
  23. How to install one jar variant of JSF 2.3 (javax.faces.jar) on WildFly
  24. How to use to iterate over a nested list?
  25. How and when should I load the model from database for JSF dataTable
  26. How to Dynamically add a row in a table in JSF?
  27. What’s the difference between and in Java Facelets?
  28. Collection of selectManyCheckbox inside a ui:repeat knows which element of the repeater it belongs to
  29. Remove all styling from Primefaces components?
  30. Facelets and JSTL (Converting a Date to a String for use in a field)

Leave a Comment