Discussions

News: HTTP Data Integrity Validator - a library to help secure Struts apps

  1. The HDIV project is an Apache-licensed version of Struts that adds data obfuscation in an attempt to hide data values from prying eyes. It sits on top of Struts and is API-compatible with the Struts API, so benefits from HDIV can be used with any Struts application with no change. It is possible to use HDIV in applications that don't use Struts, but in this case it is necessary to modify the application (JSP pages). The security functionalities added to the original Struts version are: INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages,etc). Thanks to this property we avoid all the vulnerabilities based on the parameter tampering. CONFIDENTIALITY: HDIV guarantees the confidentiality of the data as well. Usually data sent to the client has key information for attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid malicious use. For example a link of this type, http://www.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the values representing database identifiers. Also it is possible to hide the name of the parameters becoming the link into http://www.host.com?0=0&1=1.

    Threaded Messages (11)

  2. GREAT[ Go to top ]

    HDIV is great. Well done!
  3. Great solution![ Go to top ]

    I have worked in web application security since 2000 and I know many methodologies to test an application and a lot about web vulnerabilities. But I still haven't found a secure development framework. Usually Struts is used to develop web applications but it isn´t a secure framework. I think this is the correct approach to solve web application vulnerabilities because it solves most important vulnerabilities automatically (parameter tampering, sql injection, XSS),without the interaction of the programmers. I love the way the attacks are logged too, including user name. Very good work. Congratulations! Alexander
  4. What the advantages??[ Go to top ]

    I've seen the documentation and I don't a really idea of advantages that it can adds if the parameters aren't sends in the URL and it uses HTTPS protocol. Can anybody help me to understand it? Thanks.
  5. Re: What the advantages??[ Go to top ]

    The target of HTTPS (SSL) is to secure the communication between the client and the server, but it doesn't do anything with the data sent by the client. The client is able to update all the data sent by the server, also using SSL. For example, if you are usign https and you have a link within your application like that: https://www.myhost.com?data=50 You can do this request: https://www.myhost.com?data=27 Or if you have a select in a form with your accounts, for example: account-46384644 account-46384558 You can sent a value different from the list, for example "433" and view an account of another client. HTTPS doesn't stop these requests because you are allowed to sent data to the server (it doesn't know if you have updated it or not). It's the server who has the responsability to validate the input data. HDIV guarantees integrity (no data modification) of all the data generated by the server (links, hidden fields, combobox values, radio buttons, destiny pages,…). Thanks to this property we avoid all the vulnerabilities that I have explained in the examples. HDIV is between the client and your web application and validates all the data sent by the client. If you don't use HDIV or other solution that solves these vulnerabilities you have to do this validations programmatically for each possible request. I hope this helps you.
  6. Re: What the advantages??[ Go to top ]

    Ok, I agree now. I thought that the term "Integrity" refers to a third person that sniff the information and modify it. Therefore, if the client really modifies the data, only a software like HDIV can solve the problem. I'll prove it to analyze the performance issues. Thank you.
  7. Re: What the advantages??[ Go to top ]

    There is a file http://www.hdiv.org/docs/hdiv-performance.pdf about HDIV's performance issues in the home page that can be useful.
  8. Struts 2.0 integration[ Go to top ]

    Hi, We're planning to develop the new web applications using Struts 2, but at the same time, we'd like to use HDIV. Is it possible to integrate HDIV with Struts 2? I've taken a look to the documentation and I saw that the main functionality is based on jsp tags. Finally, I read it's need to add a new controller in the struts configuration file. If I'm not wrong, this controller class restricts the use only to 1.2.x versions. If this is true, could you give us some hints about how to implement the migration. In your resume, you say it is not only restricted to Struts framework Regards
  9. Re: Struts 2.0 integration[ Go to top ]

    Hi,

    We're planning to develop the new web applications using Struts 2, but at the same time, we'd like to use HDIV. Is it possible to integrate HDIV with Struts 2?

    I've taken a look to the documentation and I saw that the main functionality is based on jsp tags. Finally, I read it's need to add a new controller in the struts configuration file. If I'm not wrong, this controller class restricts the use only to 1.2.x versions. If this is true, could you give us some hints about how to implement the migration. In your resume, you say it is not only restricted to Struts framework

    Regards
    Agreed, I'd love to see this as a Struts 2 plugin. I took a look at the source code, and it seems to be designed well for embedding in different environments. We are starting to explore Struts 2 plugins that extend the default tag library, and will certainly be doing more of it in 2.1.x. By the way, this has to be one of the most professionally documented projects I've seen in a while. I'm not usually a fan of only PDF docs, but these are just beautiful.
  10. Re: Struts 2.0 integration[ Go to top ]

    HDIV is composed by two modules: Core and Tags (See:http://www.hdiv.org/docs/api/api.htm) You can reuse core module with any framework, including of course Struts2. Now, there are 4 versions of tags module (only for Struts 1): Struts 1.1, 1.2.4, 1.2.7 and 1.2.9. In order to integrate with Struts2 , it's necessary to develop a new tags module (in that case Struts2’s tags) that uses HDIV core module. After the first release of HDIV 1.0 we are thinking about the HDIV's future roadmap and Struts2 it's an interesting framework for us. Thanks again for your comments and if you need more information tell us please.
  11. Great idea![ Go to top ]

    Congrats! Great idea to create a framework to do this job transparently … It would have been nice to have available this framework a couple of months ago :) I just finished creating a custom version, where I extended the Struts tags to use encryptions, e.g. … will be like … This mechanism solely relies on the encryption to preserve the data and is as good as the encryption key is unbreakable. To minimize the risk the key can be re-generated periodically, during server start-up etc. Again, I like the idea of having a framework to do the job, and in the future I will give it a strong consideration. Also, I have a few questions regarding HDIV: 1. At what stage the HttpSession gets cleaned up by the internal state objects e.g. “_HDIV_STATE_"? 2. If the state object “_HDIV_STATE_" is reused, can HDIV work with two browser windows sharing the same sessionId? (assuming after login I open up a new browser inheriting the session) Thanks!
  12. Re: Great idea![ Go to top ]

    Thanks for your post! Session management: The user can set the maximum number of cacheable states in memory. When the maximum cache size is reached, the states that have been in memory for longer are deleted and replaced by the new states of the last visited pages. This can affect to the pages accesed via back button in a browser, because some of them may not work as they have been deleted from the cache. So, it is recommended to set a high value for applications where the back button is frecuently used. In addition to that we don't use big objects in HttpSession. Instead of that we use many little objects (one per request) because it optimizes session replication for clustering environments. Reusing _HDIV_STATE_ You can reuse a state without any problem, even with two browsers at the same time. But, you have to take into account (if you define a cache) that if you make a request with an old state (for example cached in your browser) that is already deleted from the server cache, your request will be rejected. To avoid that problem: don't use the cache, use cipher strategy or force refresh at clients.