Configuration options¶
General configuration options¶
Configuration options for Java Agent. They are modifiable using Hdiv Toolbar configuration page or more generally using Java system properties.
For example:
-Dhdiv.config.dir=/hdiv/configDir
| Key | Type | Description |
|---|---|---|
| hdiv.console.level | Custom | Define the logging level the following options are available |
| hdiv.file.level | Custom | Define the logging level the following options are available |
| hdiv.log.append | Boolean | Define whether agent traces should be appended during startup or not, by default false |
| hdiv.config.dir | String | Path to the config dir where the license is present |
| hdiv.console.url | String | Defines de URL of the Web Console, by default http://localhost:8089/hdiv-console-services |
| hdiv.console.token | String | Authentication token for the environment in the Web Console |
| hdiv.server.name | String | The name that will identify this server in the Web Console |
| hdiv.console.validate.certificate | Boolean | Whether the Web Console certificate should be verified when using https or not, by default true |
| hdiv.toolbar.enabled | Boolean | Whether Hdiv toolbar should be shown or not, when the agent is not configured to communicate with a Web Console it will be always displayed, otherwise by default is false |
| hdiv.toolbar.enabled.on.demand | Boolean | With this parameter Hdiv toolbar could be manually activated in runtime but it is not displayed otherwise, by default false |
| hdiv.toolbar.disabled.patterns | List | A comma separated list, including regular expressions to avoid the toolbar in URLs matching those |
| hdiv.trace.queries | Boolean | Flag to indicate that SQL Queries will be displayed in Hdiv Toolbar, by default true |
| hdiv.validation.info | Boolean | Flag to allow validation info to be displayed on the toolbar when using Hdiv Library Protection, by default true |
| hdiv.toolbar.delete.location.change | Boolean | In some SPA vulnerabilities will not be emptied in the toolbar, they can be manually cleaned with the button in the toolbar or otherwise use this option (but it may have issues depending on the browser used), by default false |
| hdiv.toolbar.xhr.header | Boolean | By default Hdiv toolbar includes (if not present) X-Requested-With header in AJAX calls to identify them, by default true |
| hdiv.toolbar.only.in.html.responses | Boolean | By default Hdiv toolbar is included only in HTML responses, however this check can be disabled, by default true |
| hdiv.workingMode | Custom | Defines the working mode for the agent, this usually implies a balance between detection features and performance, the following options are available: |
| hdiv.throughput.rate | Integer | Defines the percent of the requests for which the detection will be activated, by default 100 |
| hdiv.artifact.detection.additional.disabled | Boolean | Flag to indicate if additional artifacts (OS, DB & JVM) should be disabled or not, by default false |
| hdiv.all.threats.time.period | Number | Time period for all agent communication tasks (in seconds) |
| hdiv.metrics.task.time.period | Number | Time period for metrics task (in seconds), by default 5 |
| hdiv.security.threads.task.time.period | Number | Time period for security threads task (in seconds), by default 5 |
| hdiv.excluded.stacks | List | A comma separated list, including packages that should be avoided in vulnerability stacks |
| hdiv.single.app | Boolean | A flag to indicate that a single application will be running in the server, it may be required when it is deployed on root context path, default is false |
| hdiv.root.app.name | String | Mandatory name for application deployed on root context path |
| hdiv.mandatory.app.name | String | Mandatory name for any application deployed on this server. If more that one application is deployed, it is possible to define a mapping like the following app_1:First;app_2:Second |
| hdiv.async.taint.tracking | Boolean | A flag to that vulnerabilities should be tracked in asynchronous threads, it could be enabled at a cost in performance, by default false |
| hdiv.dependency.delay | Number | The delay to process vulnerable libraries after startup in milliseconds, by default 600000, (ten minutes) |
Custom escape methods¶
Hdiv Agent supports most commonly used escape methods by default. In addition to the default methods it is possible to configure custom escape methods.
Custom escape methods are used to sanitize values that are included in application output or other places, like SQL queries.
In order to create a custom escape method, first create custom.cfg file in Hdiv configuration folder configured with hdiv.config.dir property.
Example content of custom.cfg file:
com.sample.CustomScape#escapeOutput#(Ljava/lang/String;)Ljava/lang/String;#XSS com.sample.CustomScape#encodeSQL#(Ljava/lang/String;)Ljava/lang/String;#SQL_OB
The file references Java class and methods that implement escape functions. The method input parameter is the original value and the returned value contains the sanitized value.
There are two types of escape methods:
- XSS: The method escapes values for XSS vulnerability. This kind of methods escape HTML, Json or JavaScript characters.
- SQL_OB: The method escapes values for SQL injection vulnerability. It is commonly used to fix SQL injections detected in the
ORDER BYclause, which are not possible to fix using the usual technique to fix SQL Injections like PreparedStatements.
Sample escape class:
package com.sample; class CustomScape{ public static String escapeOutput(final String value) { // Custom code to sanitize the value return value; } public static String encodeSQL(final String sql) { // Custom code to sanitize the value. // Stop the execution if required if (notValidSql(sql)){ throw now InvalidSqlException(); } return sql; } }