Insecure JSF ViewState

Docs > Alerts

Details
Alert Id	90001
Alert Type	Passive
Status	release
Risk	Medium
CWE	642
WASC	14
Tags	OWASP_2017_A06 OWASP_2021_A04

Summary

The response at the following URL contains a ViewState value that has no cryptographic protections.

Solution

Secure VIEWSTATE with a MAC specific to your environment

References

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

Code

org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java