HDIV:HTTP Data Integrity Validator

原创 2007年09月20日 16:14:00
http://www.hdiv.org/

HDIV:HTTP Data Integrity Validator

We can briefly define HDIV as a Java Web Application Security Framework. HDIV extends web applications’ behaviour by adding Security functionalities, maintaining the API and the framework specification. This implies that we can use HDIV in applications developed in Struts 1.x, Struts 2.x, Spring MVC and JSTL in a transparent way to the programmer and without adding any complexity to the application development. It is possible to use HDIV in applications that don’t use Struts 1.x, Struts 2.x, Spring MVC or JSTL, but in this case it is necessary to modify the application (JSP pages).
(我们能简要地将HDIV定义为java web应用安全框架,HDIV通过加上安全功能、维持同样的API和应用规范来扩展Web应用的行为。这意味着我们能在采用struts1.X、struts2.x、Spring MVC和JSTL开发的应用系统中以透明的方式使用HDIV,而不会给应用开发增加复杂性。对于那些不使用struts1.X,struts2.x,spring MVC 或JSTL的应用中,也可使用HDIV,不过在这和情况下有必须修改一下应用程序(Jsp页面)。)

The security functionalities added to the web applications are these:
给web 应用增加三个安全功能如下:
INTEGRITY(完整性): HDIV guarantees integrity (no data modification) of all the data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, destiny pages, etc.). Thanks to(由于) this property HDIV helps to eliminate most of the vulnerabilities bsed on the parameter tampering.

EDITABLE DATA VALIDATION(可修改数据验证): HDIV eliminates to a large extent the risk originated by attacks of type Cross-site scripting (XSS) and SQL Injection using generic validations of the editable data (text and textarea).

CONFIDENTIALITY(机密性): HDIV guarantees the confidentiality of the non editable data as well. Usually lots of the data sent to the client has key information for the attackers such as database registry identifiers, column or table names, web directories, etc. All these values are hidden by HDIV to avoid a malicious use of them. For example a link of this type, http://www.host.com?data1=12&data2=24 is replaced by http://www.host.com?data1=0&data2=1, guaranteeing confidentiality of the values representing database identifiers. Also it is possible to hide the name of the parameters becoming the link into http://www.host.com?0=0&1=1.

相关文章推荐

11G Concept 第五章翻译 Data Integrity(数据完整性)

本章解释了完整性约束是怎样强制实施数据库中的“业务规则”的,以及怎样预防无效的信息插入到表中。 本章包含下面几个小节: ·Introduction to Data Integrity(数据完整性介...

169.You have two tables with referential integrity enforced between them. You need to insert data to

169.You have two tables with referential integrity enforced between them. You need to insert data to...

java.io.FileNotFoundException: http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd问题终结原因

问题:当我使用Struts2使用XML配置数据校验Validator时,发现校验数据没有效果。找了好久原因,终于找到原因并附上代码,希望能帮助初学Struts并遇到类似问题的朋友,废话不多说。首先遇到...

Http-Multipart-Data请求

  • 2015年11月20日 10:27
  • 47KB
  • 下载

Android文件图片上传的详细讲解(一)HTTP multipart/form-data 上传报文格式实现手机端上传GOOD

转自:http://topmanopensource.iteye.com/blog/1605238      做一个文件上传到服务器端可能需要以下几点知识,如下: 1.HTTP multipa...
  • Baple
  • Baple
  • 2015年05月21日 12:57
  • 9638

hdiv-core.jar

  • 2013年05月21日 17:02
  • 134KB
  • 下载

PHP中除了POST和GET之外还有$HTTP_RAW_POST_DATA 以及和$_POST的区别

这是手册里写的 总是产生变量包含有原始的 POST 数据。否则,此变量仅在碰到未识别 MIME 类型的数据时产生。不过,访问原始 POST 数据的更好方法是 php://input。$HTTP_...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:HDIV:HTTP Data Integrity Validator
举报原因:
原因补充:

(最多只允许输入30个字)