Insecure JSF ViewState

Docs > Alerts

Type: Passive Scan

Description

The response at the following URL contains a ViewState value that has no cryptographic protections.

Solution

Secure VIEWSTATE with a MAC specific to your environment

References

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt

Code

org/zaproxy/zap/extension/pscanrules/InsecureJSFViewStatePassiveScanner.java

Last updated: 2020-04-30 16:12:39.623Z