[Java-project] [Webappsec] Strut's security extension(HDIV)

roberto at hdiv.org roberto at hdiv.org
Wed Jan 31 10:05:54 EST 2007


Jeff,

Yes, you are right.

HDIV 1.0 validates non editable data (data generated in the server). We don't
include that funcionality (editable parameters validation) in the first version
because there is already a solution for that in the Struts environment: Struts
validator.

We have already done a new version of HDIV where you can define validations for
editable data (text/textarea). It will be released in one or two weeks. It's
simpler than Struts validator because you can define "generic validations".

For example you can stop all requests that have "=" or "<" value in any editable
parameter (text/textarea).

With this new version I think that HDIV resolves the problem with editable
parameters. If you need a particular validation you can use Struts' validator.

About the cookies, I agree with you and we are working on that now.
I hope it will be released also in the next release.

Thanks for your post!

Roberto Velasco


Mensaje citado por Jeff Williams <jeff.williams at owasp.org>:

> Roberto,
>
> Thanks for the information.  Based on your documentation, it appears that
> HDIV only protects against changes to fields that shouldn't change.  While
> hidden fields and the like are certainly an important source of XSS and SQL
> injection, editable fields frequently have these vulnerabilities as well.
>
> So if HDIV doesn't protect against flaws related to editable fields (please
> correct me if I'm wrong), I think you shouldn't claim to "solve most common
> web
> application's vulnerabilities" as it's pretty misleading.
>
> In fact, there's a danger with a solution like this that developers will
> rely on its protection, and not do input validation or output encoding.
> I've had a number of people tell me that they're safe from XSS because
> Netegrity stops it.  It only looks at GET requests and does nothing with
> POST.  This false sense of security can actually make you less secure.
>
> Here's an idea for you -- if you're not already doing it, why not protect
> custom cookies from tampering? You can "eat" them in your filter and add
> them back when the request comes back.
>
> --Jeff
>
> Jeff Williams, Chair
> The OWASP Foundation
> "Dedicated to finding and fighting the causes of insecure software"
>
> -----Original Message-----
> From: webappsec-bounces at lists.owasp.org
> [mailto:webappsec-bounces at lists.owasp.org] On Behalf Of roberto at hdiv.org
> Sent: Monday, January 29, 2007 5:45 AM
> To: java-project at lists.owasp.org; webappsec at lists.owasp.org
> Subject: [Webappsec] Strut's security extension(HDIV)
>
>
> Hello,
>
> I would like to present to you a new open-source project related with web
> application security: HDIV (http://www.hdiv.org). Actually we have been
> working
> on it for 3 years but we have published it recently.
>
> HDIV is a Struts's security extension in order to solve most common web
> application's vulnerabilities like: parameter tampering, sql injection, XSS.
>
> Now we are working in a new version of HDIV for JSF.
> Please, I would like to know your opinion about HDIV project.
>
>
> Thanks in Advance,
>
> Roberto Velasco
> _______________________________________________
> Webappsec mailing list
> Webappsec at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/webappsec
>
>




More information about the Java-project mailing list