Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

small language adjustment

Browse source
This commit is contained in:
liquidsec 2023-03-24 17:55:50 -04:00
parent d7eb3427c4
commit 15756038b3
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
View file

@ -76,7 +76,7 @@ Everything happened before the JSF implementation could have a look at the ViewS
Now, what are the ingredients for a disaster?
* unencrypted ViewState
* unencrypted ViewState (or, possession of the encryption key)
* Gadget on the classpath of the server
* In case of Mojarra: ViewState configured to reside on the `client`
* In case of MyFaces: ViewState configured to reside on the `client` **or** the `server`
@ -209,7 +209,7 @@ else:
print(GREEN + "[*] Saved to : {}".format(sys.argv[2]))
```
# Detection with Badsecrets
# Known Key Detection with Badsecrets
![Badsecrets](https://github.com/blacklanternsecurity/badsecrets) is a library capable of detecting the use of known cryptographic keys by looking at the products they produce, and checking against a list of known or weak keys. Its `Jsf_viewstate` module is capable of detecting Java Server Faces ViewStates created with known keys on both Mojarra and MyFaces, in addition to unprotected or compressed ViewStates.