This presentation will highlight 0-days in Apache MyFaces and Sun Mojarra that allow an attacker to access all server-side session data, as well as some globally-scoped application variables. This presentation will provide a live demonstration of the flaws. The tool used to exploit the vulnerability will also be released.
A similar vulnerability is present in Microsoft’s ASP.Net view state. This may not technically be an 0-day, but it is a poorly known flaw that has been present since the beginning days of .Net. A live demonstration of this will also be performed.