Configuration options

General configuration options

Configuration options for Java Agent. They are modifiable using Hdiv Toolbar configuration page or more generally using Java system properties.

For example: 

-Dhdiv.config.dir=/hdiv/configDir
Key Type Description
hdiv.console.level Custom Define the logging level the following options are available
  • OFF
  • SEVERE (default)
  • WARNING
  • INFO
  • FINE
  • FINER
    		•
    hdiv.file.level Custom Define the logging level the following options are available
  • OFF
  • SEVERE
  • WARNING
  • INFO (default)
  • FINE
  • FINER
    		•
    hdiv.log.file.location String Agent log file complete path. For example, /opt/hdiv/logs/agent.log
    hdiv.log.append Boolean Define whether agent traces should be appended during startup or not, by default false
    hdiv.log.file.size Number Log file maximum size in bytes, by default 100000000 (100MB)
    hdiv.config.dir String Path to the config dir where the license is present
    hdiv.console.url String Defines de URL of the Web Console, by default http://localhost:8089/hdiv-console-services
    hdiv.console.token String Authentication token for the environment in the Web Console
    hdiv.server.name String The name that will identify this server in the Web Console
    hdiv.console.timeout String Console communication timeout (ms) , by default 2000
    hdiv.console.validate.certificate Boolean Whether the Web Console certificate should be verified when using https or not, by default true
    hdiv.toolbar.enabled Boolean Whether Hdiv toolbar should be shown or not, when the agent is not configured to communicate with a Web Console it will be always displayed, otherwise by default is false
    hdiv.toolbar.enabled.on.demand Boolean With this parameter Hdiv toolbar could be manually activated in runtime but it is not displayed otherwise, by default false
    hdiv.toolbar.disabled.patterns List A comma separated list, including regular expressions to avoid the toolbar in URLs matching those
    hdiv.trace.queries Boolean Flag to indicate that SQL Queries will be displayed in Hdiv Toolbar, by default true
    hdiv.validation.info Boolean Flag to allow validation info to be displayed on the toolbar when using Hdiv Library Protection, by default true
    hdiv.toolbar.delete.location.change Boolean In some SPA vulnerabilities will not be emptied in the toolbar, they can be manually cleaned with the button in the toolbar or otherwise use this option (but it may have issues depending on the browser used), by default false
    hdiv.toolbar.xhr.header Boolean By default Hdiv toolbar includes (if not present) X-Requested-With header in AJAX calls to identify them, by default true
    hdiv.toolbar.only.in.html.responses Boolean If true, Hdiv toolbar will be included only in responses that have HTML Content-Type and whose content looks like actual HTML. If false, the toolbar will be included in any page with HTML Content-Type or without any Content-Type header and HTML-like content. Defaults to true.
    hdiv.throughput.rate Integer Defines the percent of the requests for which the detection will be activated, by default 100
    hdiv.artifact.detection.additional.disabled Boolean Flag to indicate if additional artifacts (OS, DB & JVM) should be disabled or not, by default false
    hdiv.default.task.time.period Number Time period for all agent communication tasks (in seconds)
    hdiv.metrics.task.time.period Number Time period for metrics task (in seconds), by default 60
    hdiv.security.threats.task.time.period Number Time period for security threads task (in seconds), by default 5
    hdiv.update.config.task.time.period Number Time period for Hdiv library configuration update (in seconds), by default 5
    hdiv.vulnerability.config.task.time.period Number Time period for Hdiv agent configuration update (in seconds), by default 60
    hdiv.rule.info.task.time.period Number Time period for rule configuration update (in seconds), by default 60
    hdiv.excluded.stacks List A comma separated list, including packages that should be avoided in vulnerability stacks
    hdiv.root.app.name String Mandatory name for application deployed on root context path
    hdiv.mandatory.app.name String Mandatory name for any application deployed on this server. If more that one application is deployed, it is possible to define a mapping like the following app_1:First;app_2:Second
    hdiv.js.cache.maxage Number Time in minutes that javascript files are cached on the client with the Cache-Control header. Default value is 30
    hdiv.main.ip.strategy String Strategy to get the main request IP. FORWARDED_IF_PRESENT (default) uses the X-Forwarded-For header if present, while REMOTE uses the remote client IP.
    hdiv.workingMode Custom Defines the working mode for the agent, this usually implies a balance between detection features and performance, the following options are available:
  • FULL_DETECTION:
    • Full features at a performance cost
  • NORMAL:
    • Default balanced value, it could be a valid option in production
  • PRODUCTION:
    • Option for best performance
    hdiv.single.app Boolean A flag to indicate that a single application will be running in the server, it may be required when it is deployed on root context path, default is false
    hdiv.async.taint.tracking Boolean A flag to that vulnerabilities should be tracked in asynchronous threads, it could be enabled at a cost in performance, by default false
    hdiv.dependency.delay Number The delay to process vulnerable libraries after startup in milliseconds, by default 600000, (ten minutes)
    hdiv.always.excluded.classes List Semicolon separated list or type names to exclude from scanning (supports wildcards)

    Custom escape methods

    Hdiv Agent supports most commonly used escape methods by default. In addition to the default methods it is possible to configure additional custom escape methods.

    Custom escape methods are used to sanitize data that is used in application output or sinks, like SQL queries, file access or HTML response.

    The custom escape method should receive the untrusted data as a parameter and return the same value sanitized. The application trust the returned data as safe, so the agent will take it into account and mark the returned value as trusted too.

    In order to create a custom escape method, first create custom.cfg file in Hdiv configuration folder configured with hdiv.config.dir property.

    Example content of custom.cfg file:

    com.sample.CustomScape#escapeOutput#(Ljava/lang/String;)Ljava/lang/String;#XSS
com.sample.CustomScape#encodeSQL#(Ljava/lang/String;)Ljava/lang/String;#SQL_OB

    The file references Java class and methods that implement escape functions. Affected detection rule name is included after the # character.

    The method input parameter is the original value and the returned value contains the sanitized value.

    Sample escape class:

    package com.sample;

class CustomScape{

    public static String escapeOutput(final String value) {
        // Custom code to sanitize the value
        return value;
    }

    public static String encodeSQL(final String sql) {
        // Custom code to sanitize the value.

        // Stop the execution if required
        if (notValidSql(sql)){
            throw now InvalidSqlException();
        }
        return sql;
    }
}

    The complete list of accepted rule names:

    • ADMIN_CONSOLE_ACTIVE
    • ARBITRARY_CODE_EXECUTION
    • ARBITRARY_SOCKET_CONNECTION
    • AUTOCOMPLETE_MISSING
    • AUTOMATED_REAL_TIME_WHITELISTING
    • CACHE_CONTROLS_MISSING
    • CLICKJACKING_CONTROL_MISSING
    • CLIENT_XSS
    • CMD_INJECTION
    • CSP_HEADER_INSECURE
    • CSP_HEADER_MISSING
    • CSRF
    • CUSTOM_INPUT_VALIDATION
    • DEFAULT_HTML_ESCAPE_INVALID
    • DIRECTORY_LISTING_LEAK
    • FORMAT_STRING
    • HARDCODED_KEY
    • HARDCODED_PASSWORD
    • HEADER_INJECTION
    • HSTS_HEADER_MISSING
    • HTML_RESOURCE_INTEGRITY
    • INSECURE_AUTH_PROTOCOL
    • INSECURE_CIPHER
    • INSECURE_CLIENT_DOMAIN
    • INSECURE_COOKIE
    • INSECURE_HASHING
    • INSECURE_JSP_LAYOUT
    • INSECURE_METHOD_PARAMETER
    • LDAP_INJECTION
    • LOG_INJECTION
    • MALICIOUS_BINARY
    • MALICIOUS_BOTS
    • MALICIOUS_IP
    • NO_HTTP_ONLY_COOKIE
    • NO_SAME_SITE_COOKIE
    • NO_SQL_INJECTION
    • PADDING_ORACLE
    • PARAMETER_POLLUTION
    • PATH_TRAVERSAL
    • PCI_CLEAR_PARAMETER_VIOLATION
    • PCI_LOGGING_VIOLATION
    • REFLECTION_INJECTION
    • REGEX_DOS
    • REQUEST_DOS
    • SENSITIVE_DATA_VIOLATION
    • SESSION_COOKIE_NOT_HTTP_ONLY
    • SESSION_REWRITING
    • SESSION_TIMEOUT
    • SQL_INJECTION
    • SSRF
    • STACKTRACE_LEAK
    • TRUST_BOUNDARY_VIOLATION
    • UNTRUSTED_DESERIALIZATION
    • UNVALIDATED_REDIRECT
    • VERB_TAMPERING
    • WEAK_CROSS_DOMAIN_POLICY
    • WEAK_PASSWORD
    • WEAK_RANDOMNESS
    • X_FORWARDED_FOR_SPOOFING
    • XCONTENTTYPE_HEADER_MISSING
    • XPATH_INJECTION
    • XSS
    • XXE
    • XXSSPROTECTION_HEADER_DISABLE

    Special configuration for SQL Injection Order by case:

    • SQL_OB: The method escapes values for SQL injection vulnerability. It is commonly used to fix SQL injections detected in the ORDER BY clause, which are not possible to fix using the usual technique to fix SQL Injections like PreparedStatements.

    Known limitations of custom escape methods:

    • Methods must be static public methods
    • Method must return a String object
    • Method has one or two income parameters