0

I am pentesting Oracle ADF web application. One of the requests to delete some content consists of parameters like _adf.ctrl-state and javax.faces.ViewState, which seem to be random numbers, active only during one session.

I'm not sure if this prevents form CSRF attacks? I found some resources like for example this, which suggest adding aditional anti-CSRF token.

Anders
  • 64,406
  • 24
  • 178
  • 215
user187205
  • 1,163
  • 3
  • 15
  • 24
  • The viewstate might contain some kind of CSRF protection (see [this](https://security.stackexchange.com/questions/8744/does-asp-net-viewstate-implicitly-prevent-csrf-attacks-what-does-this-mean-for) for a similar discussion for ASP.NET). – Anders Oct 23 '17 at 14:13
  • Can't really say more than that without more information. I'd say your best bet is just to try and see if it works. – Anders Oct 23 '17 at 14:14
  • I've seen similar things which I felt were CSRF tokens but were instead a weird request and session identifier for bug/issue resolution. Usually devs who know what they're doing and why they're doing it call it what it is: a `csrf_token` – Allison Oct 26 '17 at 05:26

0 Answers0