Insecure JSF ViewState

The response at the following URL contains a ViewState value that has no cryptographic protections. The detector identifies JavaServer Faces (JSF) ViewState parameters that lack Message Authentication Code (MAC) signatures or encryption, making them vulnerable to tampering and information disclosure.

Unprotected JSF ViewState allows attackers to decode the state object to extract sensitive application data, session information, or business logic details stored on the client side. More critically, an attacker can modify the ViewState to manipulate application flow, bypass business rules, escalate privileges, or inject malicious data that the server will deserialize and execute. Without MAC validation, the server cannot distinguish legitimate ViewState from attacker-crafted payloads, leading to arbitrary state manipulation.

Secure VIEWSTATE with a MAC specific to your environment by configuring the javax.faces.STATE_SAVING_METHOD to server-side or enabling ViewState encryption and MAC protection. In web.xml, set the org.apache.myfaces.MAC_SECRET and org.apache.myfaces.MAC_ALGORITHM parameters with strong cryptographic values. For JSF 2.2+, enable the javax.faces.PROTECT_VIEWS parameter. Avoid storing sensitive data in ViewState and validate all deserialized state on the server side before processing.