struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Musachy Barroso" <musa...@gmail.com>
Subject Re: HDIV (Http Data Integrity Validator) 1.1 Released
Date Mon, 02 Apr 2007 17:45:33 GMT
Any plans for an Struts 2 port?

regards
musachy

On 4/2/07, roberto@hdiv.org <roberto@hdiv.org> wrote:
>
> Hi all,
>
> HDIV project is an Apache-licensed Struts' Security extension that adds
> security
> functionalities to Struts 1.x, maintaining the API and Struts
> specification.
> This implies that we can use HDIV in applications developed in Struts in a
> transparent way to the programmer and without adding any complexity to the
> application development.
>
> The security functionalities added to the original Struts version are
> these:
>
> INTEGRITY: HDIV guarantees integrity (no data modification) of all the
> data
> generated by the server which should not be modified by the client (links,
> hidden fields, combo values, radio buttons, destiny pages, etc.).
>
> CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable data
> as
> well. Usually lots of the data sent to the client has key information for
> the
> attackers such as database registry identifiers, column or table names,
> web
> directories, etc. All these values are hidden by HDIV to avoid a malicious
> use
> of them. For example a link of this type,
> http://www.host.com?data1=12&data2=24
> is replaced by http://www.host.com?data1=0&data2=1, guaranteeing
> confidentiality
> of the values representing database identifiers.
>
> New release includes a number of new features centered around cookies and
> editable data validation:
>
> - Cookie confidentiality and integrity validation.
>
> - Editable data validation (textbox and textarea): HDIV eliminates to a
> large
> extent the risk originated by attacks of type Cross-site scripting (XSS)
> and
> SQL Injection using generic validations of the editable data (text and
> textarea). The user will have to configurate generic validations through
> rules
> in XML format, reducing or eliminating the risk against  attacks based on
> the
> defined restrictions.
>
> You can have a look at it at http://www.hdiv.org
>
> In addition to that there is a quick introduction about HDIV using OWASP
> top ten 2007 as reference at http://www.hdiv.org/docs/hdiv.ppt.
>
> Regards,
>
> Roberto Velasco Sarasola
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message