Return-Path: Delivered-To: apmail-struts-user-archive@www.apache.org Received: (qmail 45391 invoked from network); 3 Apr 2007 07:27:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Apr 2007 07:27:50 -0000 Received: (qmail 36034 invoked by uid 500); 3 Apr 2007 07:27:46 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 36008 invoked by uid 500); 3 Apr 2007 07:27:46 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 35997 invoked by uid 99); 3 Apr 2007 07:27:46 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Apr 2007 00:27:46 -0700 X-ASF-Spam-Status: No, hits=0.6 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [213.186.37.103] (HELO 25.mail-out.ovh.net) (213.186.37.103) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 03 Apr 2007 00:27:37 -0700 Received: (qmail 23618 invoked by uid 503); 3 Apr 2007 05:43:55 -0000 Received: (QMFILT: 1.0); 03 Apr 2007 05:43:55 -0000 Received: from b7.ovh.net (HELO mail9.ha.ohv.net) (213.186.33.57) by 25.mail-out.ovh.net with SMTP; 3 Apr 2007 05:43:55 -0000 Received: from b0.ovh.net (HELO queue-out) (213.186.33.50) by b0.ovh.net with SMTP; 3 Apr 2007 07:27:12 -0000 Received: from 156.Red-83-60-246.dynamicIP.rima-tde.net (156.Red-83-60-246.dynamicIP.rima-tde.net [83.60.246.156]) by ssl0.ovh.net (IMP) with HTTP for ; Tue, 3 Apr 2007 09:27:12 +0200 Message-ID: <1175585232.461201d0abc6a@webmail.ovh.es> Date: Tue, 3 Apr 2007 09:27:12 +0200 From: roberto@hdiv.org To: user@struts.apache.org Subject: Re: HDIV (Http Data Integrity Validator) 1.1 Released MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.6 X-Originating-IP: 83.60.246.156 X-Virus-Checked: Checked by ClamAV on apache.org Yes, we are working on it now. We think it will be released soon, maybe next month. Regards, Roberto Velasco Sarasola > On 4/2/07, Musachy Barroso wrote: > Any plans for an Struts 2 port? >regards >musachy On 4/2/07, roberto@hdiv.org wrote: > > Hi all, > > HDIV project is an Apache-licensed Struts' Security extension that adds > security > functionalities to Struts 1.x, maintaining the API and Struts > specification. > This implies that we can use HDIV in applications developed in Struts in a > transparent way to the programmer and without adding any complexity to the > application development. > > The security functionalities added to the original Struts version are > these: > > INTEGRITY: HDIV guarantees integrity (no data modification) of all the > data > generated by the server which should not be modified by the client (links, > hidden fields, combo values, radio buttons, destiny pages, etc.). > > CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable data > as > well. Usually lots of the data sent to the client has key information for > the > attackers such as database registry identifiers, column or table names, > web > directories, etc. All these values are hidden by HDIV to avoid a malicious > use > of them. For example a link of this type, > http://www.host.com?data1=12&data2=24 > is replaced by http://www.host.com?data1=0&data2=1, guaranteeing > confidentiality > of the values representing database identifiers. > > New release includes a number of new features centered around cookies and > editable data validation: > > - Cookie confidentiality and integrity validation. > > - Editable data validation (textbox and textarea): HDIV eliminates to a > large > extent the risk originated by attacks of type Cross-site scripting (XSS) > and > SQL Injection using generic validations of the editable data (text and > textarea). The user will have to configurate generic validations through > rules > in XML format, reducing or eliminating the risk against attacks based on > the > defined restrictions. > > You can have a look at it at http://www.hdiv.org > > In addition to that there is a quick introduction about HDIV using OWASP > top ten 2007 as reference at http://www.hdiv.org/docs/hdiv.ppt. > > Regards, > > Roberto Velasco Sarasola > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > For additional commands, e-mail: user-help@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org