HDIV for Struts2

[go...@hdiv.org]

Hi all,

HDIV project is an Apache-licensed Struts' Security extension that adds security
functionalities to Struts, maintaining the API and Struts specification.
This implies that we can use HDIV in applications developed in Struts in a
transparent way to the programmer and without adding any complexity to the
application development.

The security functionalities added to the original Struts (Struts 1.x & Struts
2) version are these:

INTEGRITY: HDIV guarantees integrity (no data modification) of all the data
generated by the server which should not be modified by the client (links,
hidden fields, combo values, radio buttons, destiny pages, etc.).

EDITABLE DATA VALIDATION: HDIV eliminates to a large extent the risk originated
by attacks of type Cross-site scripting (XSS) and SQL Injection using generic
validations of the editable data (text and textarea).

CONFIDENTIALITY: HDIV guarantees the confidentiality of non editable data as
well. Usually lots of the data sent to the client has key information for the
attackers such as database registry identifiers, column or table names, web
directories, etc. All these values are hidden by HDIV to avoid a malicious use
of them. For example a link of this type, http://www.host.com?data1=12&data2=24
is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality
of the values representing database identifiers.


HDIV 1.3 has just been released including Struts2 support. HDIV's project core
it's the same for Struts1 and Struts2.

It has been added a new tag module for Struts 2.0.6 tags support. You can have a
look at it at http://www.hdiv.org

In addition to that there is a quick introduction about HDIV using OWASP
top ten 2007 as reference at http://www.hdiv.org/docs/hdiv.ppt

Regards,

Gorka Vicente Martiarena


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org