Optional Features

.NET Profiler Chaining

Hdiv makes use of CLR Profiling. Only one profiler can be attached, so a Profiler Chaining feature is provided to allow more than one profiler at the same time and support most APM tools.

Profiler Chaining Configuration

Important

Main configured profiler must be Hdiv Agent

Environment variables to use in Profiler Chaining Configurations:

Full Framework

Name Value
HDIV_AGENT_COR_PROFILER_CHAINED [FFW Chained Profiler Clsid]
HDIV_AGENT_COR_PROFILER_CHAINED_PATH_64 [FFW Chained Profiler 64Bits file path]
HDIV_AGENT_COR_PROFILER_CHAINED_PATH_32 [FFW Chained Profiler 32Bits file path]

.Net Core

Name Value
HDIV_AGENT_CORECLR_PROFILER_CHAINED [Core Chained Profiler Clsid]
HDIV_AGENT_CORECLR_PROFILER_CHAINED_PATH_64 [Core Chained Profiler 64Bits file path]
HDIV_AGENT_CORECLR_PROFILER_CHAINED_PATH_32 [Core Chained Profiler 32Bits file path]

Disable Chaining

To disable chaining just undefine these variables or set this property in env.properties

hdiv.net.ast.profiler.chaining.disabled=true
or set this environment variable

Name Value
HDIV_NET_AST_PROFILER_CHAINING_DISABLED true

Custom escape methods

Hdiv Agent supports most commonly used escape methods by default. In addition to the default methods it is possible to configure additional custom escape methods.

Custom escape methods are used to sanitize data that is used in application output or sinks, like SQL queries, file access or HTML response.

The custom escape method should receive the untrusted data as a parameter and return the same value sanitized. The application trust the returned data as safe, so the agent will take it into account and mark the returned value as trusted too.

Remark

Right now .Net only supports custom escape methods to sanitize strings for XSS vulnerabilities.

In order to create a custom escape method, first create custom.net.cfg file in Hdiv Agent folder (usually c:\Hdiv\Agent).

Example content of custom.net.cfg file:

# Custom Escape Methods
# Format of each line should be Assembly|Type::Method

SampleAssembly|CustomMethods.CustomEscapeMethods::EscapeHtml(System.String)
SampleAssembly|CustomMethods.CustomEscapeMethods::EscapeHtml(System.Int32,System.String)

The file references .Net assembly, class and methods (static or instance) that implement escape functions.

The method first string input parameter is the original value and the returned value contains the sanitized value.

Sample escape class in assembly SampleAssembly.dll:

#include System;

namespace CustomMethods
{
    class CustomEscapeMethods
    {
        public string EscapeHtml(string value) 
        {
            string res = value;
            // Custom code to sanitize the value
            //...
            return res;
        }

        public static string EscapeHtml(int count, string value) 
        {
            string res = value;
            // Custom code to sanitize the value
            //...
            return res;
        }
    }
}