| |
|
HTTP Data Integrity Validator (HDIV) adds security functionalities to Struts |
|
|
|
Written by Gorka Vicente Martiarena
|
|
Apr 17, 2007 at 01:42 AM |
|
HDIV project is an Apache-licensed Struts' Security extension that adds
security
functionalities to Struts, maintaining the API and Struts
specification.
This implies that we can use HDIV in applications developed in Struts
in a
transparent way to the programmer and without adding any complexity to
the
application development.
The security functionalities added to the original Struts version are:
INTEGRITY: HDIV
guarantees integrity (no data modification) of all the
data
generated by the server which should not be modified by the client
(links,
hidden fields, combo values, radio buttons, destiny pages, etc.).
CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable
data as
well. Usually lots of the data sent to the client has key information
for the
attackers such as database registry identifiers, column or table names,
web
directories, etc. All these values are hidden by HDIV to avoid a
malicious use
of them. For example a link of this type,
http://www.host.com?data1=12&data2=24
is replaced by http://www.host.com?data1=0&data2=1,
guaranteeing confidentiality
of the values representing database identifiers.
New release includes a number of new features centered around cookies
and
editable data validation:
- Cookie confidentiality and integrity validation.
- Editable data validation (textbox and textarea): HDIV eliminates to a
large
extent the risk originated by attacks of type Cross-site scripting
(XSS) and
SQL Injection using generic validations of the editable data (text and
textarea). The user will have to configurate generic validations
through rules
in XML format, reducing or eliminating the risk againstĀ
attacks based on the
defined restrictions.
Related -
|
|
|
|
Home | 
