Discussions

News: HDIV (HTTP Data Integrity Validator) 1.1 released

  1. The [url=http://www.hdiv.org]HDIV project[/url] is an Apache-licensed Struts' Security extension that adds security functionalities to Struts, maintaining the API and Struts specification. This implies that we can use HDIV in applications developed in Struts in a transparent way to the programmer and without adding any complexity to the application development. The security functionalities added to the original Struts version are these: INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the values representing database identifiers. The new release includes a number of new features centered around cookies and editable data validation:
    • Cookie confidentiality and integrity validation.
    • Editable data validation (textbox and textarea): HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea). The user will have to configure generic validations through rules in XML format, reducing or eliminating the risk against attacks based on the defined restrictions.
    In addition, there is also a [url=http://www.hdiv.org/docs/hdiv.ppt]quick introduction[/url] about HDIV using the OWASP top ten 2007 as a reference. Message was edited by: joeo@enigmastation.com
  2. This seems fairly neat, for data that is UI specific. I.e. My cookie, some random hidden fields that may support my web application. Is there a way this could be ported to validating a domain model outside of a web context, simliar to HibernateValidator? My only issue w/ HV, is it requies tying your domain model to Hibernate Validator. It would be awesome if I could somehow inject validation behaviour in, vs layering it on top. It couples the validator technology to my domain.
  3. No, HDIV is always integrated with presentation tier, in this case Struts. I think you are talking about a different type of validation. For example if you have a bean with an integer attribute like that: public class User { int age; } and within the web page you have a hidden field to store it: Your domain validation is enough to ensure attribute type, in this case an int , but how do you know that the client doesn't tamper the value of the hidden parameter? In other words, how can you assure hidden parameter's integrity? Keep in mind that a client can update all the data sent to the server, including (hidden fields, links parameters, combo values, etc.). You can't validate it with the traditional validation approach. For this type of issues (application level attacks) you need an integrity validator like HDIV or a custom validation for each possible request.