[Java-project] [Webappsec] Strut's security extension(HDIV)

Jeff Williams jeff.williams at owasp.org
Wed Jan 31 09:20:57 EST 2007


Thanks for the information.  Based on your documentation, it appears that
HDIV only protects against changes to fields that shouldn't change.  While
hidden fields and the like are certainly an important source of XSS and SQL
injection, editable fields frequently have these vulnerabilities as well.

So if HDIV doesn't protect against flaws related to editable fields (please
correct me if I'm wrong), I think you shouldn't claim to "solve most common
application's vulnerabilities" as it's pretty misleading.

In fact, there's a danger with a solution like this that developers will
rely on its protection, and not do input validation or output encoding.
I've had a number of people tell me that they're safe from XSS because
Netegrity stops it.  It only looks at GET requests and does nothing with
POST.  This false sense of security can actually make you less secure.

Here's an idea for you -- if you're not already doing it, why not protect
custom cookies from tampering? You can "eat" them in your filter and add
them back when the request comes back.

Jeff Williams, Chair
The OWASP Foundation
"Dedicated to finding and fighting the causes of insecure software"

-----Original Message-----
From: webappsec-bounces at lists.owasp.org
[mailto:webappsec-bounces at lists.owasp.org] On Behalf Of roberto at hdiv.org
Sent: Monday, January 29, 2007 5:45 AM
To: java-project at lists.owasp.org; webappsec at lists.owasp.org
Subject: [Webappsec] Strut's security extension(HDIV)


I would like to present to you a new open-source project related with web
application security: HDIV (http://www.hdiv.org). Actually we have been
on it for 3 years but we have published it recently.

HDIV is a Struts's security extension in order to solve most common web
application's vulnerabilities like: parameter tampering, sql injection, XSS.

Now we are working in a new version of HDIV for JSF.
Please, I would like to know your opinion about HDIV project.

Thanks in Advance,

Roberto Velasco
Webappsec mailing list
Webappsec at lists.owasp.org

More information about the Java-project mailing list