deface dbyrne@trustwave.com rsulatycki@trustwave.com http://www.trustwave.com/spiderlabs INTRODUCTION ============ DefaceTool is an open-source Java Server Faces(JSF) testing tool for decoding view state and creating view state attack vectors. The tool can be used to create XSS attacks and session and application scope attacks against Apache MyFaces 1.2.8 applications. The tool has been architected to be extensible and can be modified to support other versions of Apache MyFaces and Sun Mojarra. USAGE ===== DefaceTool is a Java application. Once built, launch the resulting "defacetool.jar" file using Java. java -jar defacetool.jar COPYRIGHT ========= DefaceTool- A web application security testing tool Created by David Byrne and Rohini Sulatycki Copyright (C) 2010 Trustwave Holdings, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>