B
bisan
Hi all,
HDIV project (http://www.hdiv.org) is an Apache-licensed Struts'
Security extension that adds Security functionalities to Struts,
maintaining the API and Struts specification. This implies that we can
use HDIV in applications developed in Struts in a transparent way to
the programmer and without adding any complexity to the application
development.
The security functionalities added to the original Struts version are:
INTEGRITY: HDIV guarantees integrity (no data modification) of all the
data generated by the server which should not be modified by the
client (links, hidden fields, combo values, radio buttons, destiny
pages, etc.).
CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable
data as well. Usually lots of the data sent to the client has key
information for the attackers such as database registry identifiers,
column or table names, web directories, etc. All these values are
hidden by HDIV to avoid a malicious use of them. For example a link of
this type, http://www.host.com?data1=12&data2=24 is replaced by
http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of
the values representing database identifiers.
- EDITABLE DATA VALIDATION (textbox and textarea): HDIV eliminates to
a large extent the risk originated by attacks of type Cross-site
scripting (XSS) and SQL Injection using generic validations of the
editable data (text and textarea). The user will have to configurate
generic validations through rules in XML format, reducing or
eliminating the risk against attacks based on the defined
restrictions.
HDIV website also contains an extensive powerpoint presentation on how
HDIV addresses the Open Web Application Security Project's top 10
website security vulnerabilities (http://www.hdiv.org/docs/hdiv.ppt)
Regards,
Gorka Vicente Martiarena.
HDIV project (http://www.hdiv.org) is an Apache-licensed Struts'
Security extension that adds Security functionalities to Struts,
maintaining the API and Struts specification. This implies that we can
use HDIV in applications developed in Struts in a transparent way to
the programmer and without adding any complexity to the application
development.
The security functionalities added to the original Struts version are:
INTEGRITY: HDIV guarantees integrity (no data modification) of all the
data generated by the server which should not be modified by the
client (links, hidden fields, combo values, radio buttons, destiny
pages, etc.).
CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable
data as well. Usually lots of the data sent to the client has key
information for the attackers such as database registry identifiers,
column or table names, web directories, etc. All these values are
hidden by HDIV to avoid a malicious use of them. For example a link of
this type, http://www.host.com?data1=12&data2=24 is replaced by
http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of
the values representing database identifiers.
- EDITABLE DATA VALIDATION (textbox and textarea): HDIV eliminates to
a large extent the risk originated by attacks of type Cross-site
scripting (XSS) and SQL Injection using generic validations of the
editable data (text and textarea). The user will have to configurate
generic validations through rules in XML format, reducing or
eliminating the risk against attacks based on the defined
restrictions.
HDIV website also contains an extensive powerpoint presentation on how
HDIV addresses the Open Web Application Security Project's top 10
website security vulnerabilities (http://www.hdiv.org/docs/hdiv.ppt)
Regards,
Gorka Vicente Martiarena.