JSF (Mojarra) ViewState must not be unencrypted

Test Case that checks that a given JSF page (typically ending on .xhtml) does not contain an unencrypted ViewState.

Given

HTTP GET on any JSF based page (typically ending on .xhtml).

Expected

In this template the HTTP Status returned is expected to be 200 (OK) and the following body content:

• must contain a ViewState
• must not contain an unencrypted Mojarra ViewState

More information

See also:

• Bug 1479661 - JSF client side view state saving deserializes data (Red Hat)
• Misconfigured JSF ViewStates can lead to severe RCE vulnerabilities (Alphabot Security)