关闭

HDIV:HTTP Data Integrity Validator

标签: strutsspringapplicationsecuritymvcscripting
1387人阅读 评论(0) 收藏 举报
分类:
http://www.hdiv.org/

HDIV:HTTP Data Integrity Validator

We can briefly define HDIV as a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).
(我们能简要地将HDIV定义为java web应用安全框架,HDIV通过加上安全功能、维持同样的API和应用规范来扩展Web应用的行为。这意味着我们能在采用struts1.X、struts2.x、Spring MVC和JSTL开发的应用系统中以透明的方式使用HDIV,而不会给应用开发增加复杂性。对于那些不使用struts1.X,struts2.x,spring MVC 或JSTL的应用中,也可使用HDIV,不过在这和情况下有必须修改一下应用程序(Jsp页面)。)

The security functionalities added to the web applications are these:
给web 应用增加三个安全功能如下:
INTEGRITY(完整性): HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to(由于) this property HDIV helps to eliminate most of the vulnerabilities bsed on the parameter tampering.

EDITABLE DATA VALIDATION(可修改数据验证): HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea).

CONFIDENTIALITY(机密性): HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the values representing database identifiers. Also it is possible to hide the name of the parameters becoming the link into http://www.host.com?0=0&1=1.
0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:1078828次
    • 积分:12829
    • 等级:
    • 排名:第1105名
    • 原创:241篇
    • 转载:156篇
    • 译文:0篇
    • 评论:227条
    文章分类
    最新评论