Data Validation Framework – HDIV at a Glance

July 12, 2013
Blacklock

Security study has again proved that most of the web application security attacks (approx 85% as per Gartner and NIST) are generated from application layer. It has always been a challenge for developers to validate parameters in URL, HTTP header, HTP request and non-editable fields on the page. We also see many irregularities in fixing the parameter manipulation vulnerability i.e. when an attacker accessing data of other users/on behalf of other users. The traditional solution suggested and implemented is to map the user role with some hidden variable and then validating it on server side. But this solution doesn’t work well for everyone.

A JAVA Web Application Security Framework i.e.HDIV(HTTP Data Integrity Validator) is out for JAVA applications using Struts 1.x, Struts 2.x, Spring MVC and JSTL. The framework guarantees integrity, confidentiality and protection against CSRF attack. The framework divides HTTP request in two parts:

·Editable Data – Includes textbox and textarea

·Non-editable Data – Includes links, hidden fields, combo values, radio, buttons, destiny pages, cookies, etc.)

Working

HDIV appends a State parameter (_HDIV_State) with random token value for every request sent to the client. This token value is calculated based on chosen working strategy i.e. Hash/Cipher/Memory. The token validates all non-editable page contents on server side. A HDIV HTTP request looks like:
http://www.host.com/page.do?param1=0&_HDIV_STATE_=46bdsd687ajldfg9100

More importantly, HDIV can also hide/mask the original value of parameter. Let’s say we have an application in which admin user role is recognized by a parameterrole=1001;now after implementing HDIV the parameter value will look likerole=1(any random value). This technique prevents attacker to guess original value of the parameter.

HDIV also allows using custom validations for input fields on a page which are configured in XML format. Move over, HDIV installation does not affect your application configuration.

Performance
Performance is the most important criteria when we chose to implement something extra to our application/server. As expected, HDIV also eats some extra megabytes of your server memory space but if you have a decent configuration server the response time is unnoticeable. HDIV performance depends on chosen working strategy.
Hope this helps your developer to fix many of your web application security problems.
Happy Reading!!!

Share this post
Tools & Techniques
Pentests
PTaaS
Cyber Security
Technology
Subscribe to our newsletter

Join our newsletter today and enhance your knowledge with valuable insights. It's quick, easy, and free!

Be a Team Player
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Latest blogs

latest updates in cybersecurity services

Button Text
Blacklock Blog Image
Pentests
June 9, 2013
Blacklock
Tools & Techniques
August 8, 2014
Blacklock
Tools & Techniques
August 23, 2013
Blacklock