Insecure JSF ViewState

Docs > Alerts

Details
Alert Id	90001
Alert Type	Passive Scan Rule
Status	release
Risk
CWE
WASC

Summary

The response at the following URL contains a ViewState value that has no cryptographic protections.

Solution

Secure VIEWSTATE with a MAC specific to your environment

References

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

Code

org/zaproxy/zap/extension/pscanrules/InsecureJsfViewStatePassiveScanRule.java