A technique used in Web application development platforms that provides a constant look-and-feel across multiple Web pages can potentially expose sensitive user data, such as credit-card numbers, according to researchers, who at next week's Black Hat DC
will demonstrate a new class of vulnerabilities in Apache MyFaces, Sun Mojarra, and Microsoft ASP.NET. They will also release a tool that tests for the flaws.
The so-called "view state" technique in both the MyFaces and Mojarra frameworks can be exploited such that an attacker can view user data -- think username, password, and credit-card number -- that's temporarily stored on the server during a session. View state is basically a method for tracking changes to visual components on a Web page that lets the Web server update a Web page without moving from that page.
"This is a fairly complicated vulnerability," says David Byrne, senior security consultant with Trustwave's SpiderLabs. "View state is something most people have heard of, but they aren't familiar with its inner workings. The tool we're going to release will help reveal those inner workings."