https://stackoverflow.com/questions/20335023
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianJSF 1.x was CSRF sensitive because the value of the hidden input field javax.faces.ViewState was easily predictable. It was composed of some fixed prefix value with an incremental numeric suffix. So, when the JSF 1.x webapp has a XSS hole (which is fairly easy to accidently overlook in legacy JSP), one could easily prepare a CSRF attack by predicting the next javax.faces.ViewState value based on the current value (and relying on JSF 1.0/1.1 feature of blindly creating a new view instead of throwing ViewExpiredException).
Since JSF 2.x, both XSS and CSRF attacks are much harder to be accomplished. Note that without a XSS hole, it's practically impossible to prepare a successful CSRF attack. JSP's successor Facelets has implicit XSS attack prevention. The only way to have a XSS hole in JSF 2.x is explicitly using <h:outputText escape="false"> on user-controlled input. Even then if there's one, the hidden input field javax.faces.ViewState is now a long and auto-generated value. It's not possible to predict the next value for this.
So, the <s:token> has not really a value anymore in JSF 2.x.
