Gorka Vicente ([email protected]) writes "The HDIV project is an Apache-licensed Struts' Security extension that adds security functionalities to Struts, maintain ing the API and Struts specification. This implies that we can use HDIV in applications developed in Struts in a transpa rent way to the programmer and without adding any complexity to the application development.
The security functionalities added to the original Struts version are these:
INTEGRITY: HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.).
CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directori es, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://w ww.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the va lues representing database identifiers.
The new release includes a number of new features centered around cookies and editable data validation:
* Cookie confidentiality and integrity validation.
* Editable data validation (textbox and textarea): HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea). The user will have to configure generic validations through rules in XML format, reducing or eliminating the risk again st attacks based on the defined restrictions.
In addition, there is also a quick introduction about HDIV using the OWASP top ten 2007 as a reference http://www.hdiv.org/docs/hdiv.ppt"