The approach and scope of both web application security frameworks are different. In some of the aspects they can be also complementary solutions that can be used together.
Regarding the approach, HDIV tries to automate security best practices through the integration with web frameworks. In order to implement this approach, HDIV has been integrated within some of the most used Java/JVM web frameworks such as: Spring MVC, Grails, JSF, Struts 1, Struts 2. It is important to note that if your application uses web frameworks tags to render links and forms, HDIV does not require any change within the source code, just a declarative configuration (XML or Java config based configuration).
On the other hand, ESAPI offers a number of utilities (APIs) that developers must use within their source code. In other words, the programmer has to include manually all this utilities in their source code. ESAPI is not web framework dependent and can be used in any web application because it is not integrated with web frameworks.
Regarding the scope, HDIV does not cover some of the features offered by ESAPI and also is limited to the supported web frameworks. It is important to note that some of these features are already covered by web frameworks (Struts, Spring MVC,…) or by solutions like Spring Security:
- Authentication and session management: covered by application servers and Spring Security
- Output Encoding: covered by web frameworks tags (in that case Spring MVC) to avoid XSS (escape functions). Not covered for other kind of encoding like encoding to avoid SQL Injection.
- Cryptographic functions: covered by Spring Security (http://docs.spring.io/spring-security/site/docs/3.1.7.RELEASE/reference/crypto.html) or also ESAPI.
- Parameter-specific input validation: covered by all web frameworks (Struts, Spring MVC, etc.)
HDIV was designed as a complement to the security features offered by Java EE, Spring Security and web frameworks.
In order to understand more deeply the differences between HDIV and ESAPI we will try to compare the features to cover OWASP top 10 web risks with both frameworks. We have included the features included within ESAPI 2.x and ESAPI 3.x at github (https://github.com/ESAPI).
- HDIV: regarding HTTP parameters values, urls and cookies HDIV reduces the risk of this vulnerability to only the data that come from text fields within forms, applying integrity validations for the rest of the data that come from client side (assures the received value is the same as the generated at server side). For text fields included within forms, HDIV offers generic validations (whitelist and blacklist) in order to avoid injection attacks.
- ESAPI: manual input validation for each parameter. This feature is useful but is already offered by almost all web frameworks. In addition to that, SQL encoding features to encode the SQL programmatically before the query execution.
A2-Broken Authentication and Session Management:
- HDIV: does not offer functionalities for this web risk. We recommend to use Spring Security for authentication and the application server features (Servlets specification) for session management.
- ESAPI: offers utilities that must be used programmatically by programmers.
A3-XSS: the same as A1 but in that case to avoid XSS risks.
- HDIV: regarding HTTP parameters values and urls HDIV reduces the risk of this vulnerability to only the data that come from text fields within forms, applying integrity validations for the rest of the data that come from client side (assures the received value is the same as the generated at server side). For text fields included within forms, HDIV offers generic validations (whitelist and blacklist) in order to avoid injection attacks injection attacks. HDIV does not include any output encoding feature and delegate this responsibility to web frameworks tags, in this case Spring MVC.
- ESAPI: includes manual input validation for each parameter. This feature is useful but is already offered by almost all web frameworks. Also offers Output encoding features for output encoding. This encoder must be used by programmers within source code.
A4-Insecure Direct Object References:
- HDIV: controls all the data generated at server side (processed by framework tags) ensuring the integrity of the data and eliminating this risk. Does not require any source code change within supported web frameworks. It is important to note that HDIV supports different methods to manage the recollected information: cipher (the state is sent ciphered within the response), memory (the state is stored within HttpSession), hash (the hash of the state is stored in HttpSession and the content within the web response).
- ESAPI: it is necessary to create a map to include each parameter programmatically and store it in session.
(http://www.jtmelton.com/2010/05/10/the-owasp-top-ten-and-esapi-part-5-insecure-direct-object-reference/). This feature is included within ESAPI 2.x but we have not found within ESAPI 3.x.
- HDIV: doesn’t include specific functionalities for that but does not allow the access to resources not sent by the server previously, avoiding the exploitation of unexpected behaviors or access to private resources.
- ESAPI: We have not found any feature.
A6-Sensitive Data Exposure:
- HDIV: offers confidentiality feature to hide the values of HTTP parameters. HDIV does not offer any cryptographic API.
- ESAPI: offers a cryptographic API to encrypt, decrypt, etc. More detail at:https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.0-crypto-design-goals.doc. This features are included within ESAPI 2.x but we have not found within ESAPI 3.x.
A7-Missing Function Level Access Control:
- HDIV: thanks to the integrity validations implemented by HDIV, avoids the exploitation of this web risk and limit the use only URLs generated previously by the server, maintaining the original contract offered by the application.
- ESAPI: offers an API to implement it programmatically. As far as we know It’s similar to the features offered by Spring Security that must be used by programmers within source code to securize each URL.
A8-Cross-Site Request Forgery (CSRF):
- HDIV: adds aleatory tokens to avoid this vulnerability to each form thanks to the HDIV integration with web frameworks form tags.
- ESAPI: offers an API to generate tokens. This tokens must be added by programmers manually to each web form.
A9-Using components with known vulnerabilities:
- HDIV: does not include specific functionalities for that but thanks to the interaction limitations applied by HDIV to the user in many cases is not possible to exploit the known vulnerability.
- ESAPI: We don’t see any feature within the documentation.
A10-Unvalidated redirects and forwards: This vulnerability is mainly related to the manipulation of non editable data or data generated previously at server side and it’s very similar to A4.
- HDIV: controls all the data sent by the server and doesn’t allow the redirection to malicious web sites.
- ESAPI: the solution offered by ESAPI will be the same as the offered for A4 (AccessReferenceMap) that must be used within the source code.