HDIV Struts Security Extension Addresses OWASP's Top Security Vulnerabilities

Posted by Scott Delap on Apr 05, 2007

Sections

Development,

Architecture & Design

Topics

Java ,

Security

Tags

HDIV ,

Struts

The HDIV project recently released version 1.1. HDIV is an Apache-licensed Struts' Security extension that adds security functionalities to Struts 1.x, maintaining the API and Struts specification. HDIV validates both editable data coming from the client such as text field input and non editable information such as inks, hidden fields, combo values, radio buttons, and destiny pages.

This release is centered around cookies and editable data validation:

- Cookie confidentiality and integrity validation.

- Editable data validation (textbox and textarea): HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea). The user will have to configurate generic validations through rules in XML format, reducing or eliminating the risk against attacks based on the defined restrictions.

The HDIV website also contains an extensive powerpoint presentation on how HDIV addresses the Open Web Application Security Project's top 10 website security vulnerabilities.  InfoQ sat down with project lead Roberto Velasco Sarasola to discuss the project.  In response to the motivation behind HDIV's creation he commented:

I have been auditing web applications for several years. They all typically have the same vulnerabilities such as XSS, Sql injection and parameter tampering, mainly because developers are not aware of the risk of this type of vulnerabilities, especially with non editable data (selects, hiddens, links,..).

Struts is the main Java web framework and did not have a transparent approach to addressing these vulnerabilities. Struts validator can be used as a step in the right direction but it doesn´t solve data integrity and confidentiality problem.

InfoQ then asked about HDIV integration with other web frameworks such as JSF:

We are presently working on a Struts 2 version and already have done an internal release.  We hope to have a public beta release next month. The core of the project is the same as the Struts version. The only difference is in the custom tags, which now extend from Struts 2 custom tags.

We are working as well on a JSF version, but taking the time to carefully integrate our features into the JSF architectural design. We expect to have a beta release in two months time. In that case we are focusing the work on vulnerable components (Hidden, Command Link,Outputlink) , cookie validation, and directory traversal vulnerability. After that we will start with data confidentialtiy.

Finally InfoQ asked about the future plans for HDIV:

The focus areas remain the same: integrity & confidentiality of non editable data and generic validations for editable data. The task is to extend our techniques to integrate with other frameworks (Struts2, JSF, AJAX tags). We are also working on new features as well, for example:

• automatization of validations for editable data
• administration web tool (log visualization, configuration,...)
• alerts generation (SMS; email)

• Older >