CLOSE


READY TO
GET STARTED?

Use the form below to get in touch.


* Missing required fields.


Covered OWASP Top 10 risks




A1

INJECTION

The source of the problem of SQL injection risk is based on SQL queries which have not been parametrized (without PreparedStatement in Java environments). First of all Hdiv minimizes the existence of untrusted data, due to the web information flow control system avoiding the manipulation of data generated by the server side. This architecture only minimizes the risk to new data generated legally from editable form elements. It is important to note that even using a PreparedStatement, if the query is based on untrusted data generated previously at the server side (e.g. ID of an item within a list) an SQL injection risk is possible.

In addition Hdiv implements an internal system that detects SQL Injection risks within source-code.

covered RISK COVERED

A2

BROKEN AUTHENTICATION AND SESSION MANAGEMENT

Hdiv does not include a parallel authentication system, delegating this responsibility to application servers.

covered RISK COVERED

A3

XSS

The source of the problem of XSS risks is based on the generation of HTML output that uses non-escaped untrusted data. First of all, Hdiv minimizes the existence of untrusted data, thanks to the web information flow control system it implements. This minimizes the risk to new data generated legally from editable form elements.

In addition, Hdiv implements an internal system that detects XSS risks within source-code.

covered RISK COVERED

A4

INSECURE DIRECT OBJECT REFERENCE

The source of this risk comes from the manipulation or updating of data generated previously at the server side. For instance, a list is sent to the client with an ID for each item. The client manipulates the ID and tries to access a forbidden ID. Hdiv checks all the data generated at the server side ensuring its integrity. There is also an option to ensure the confidentiality of data generated at the server side avoiding the display of critical information (credit cards, etc.).

covered RISK COVERED

A5

SECURITY MISCONFIGURATION

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources. The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

covered RISK PARTIALLY COVERED

A6

SENSITIVE DATA EXPOSURE

Hdiv offers confidentiality to all data generated at the server side. That is to say, Hdiv replaces original parameter values generated at the server side by relative values (0,1,2,4, etc.) to avoid exposing critical data to the client.

covered RISK PARTIALLY COVERED

A7

MISSING FUNCTION LEVEL ACCESS CONTROL

Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources. The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the programmer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.

covered RISK COVERED

A8

CSRF

Hdiv adds random tokens to each link or form in the application, making it extremely difficult to implement a CSRF attack because the attacker does not know what the value is. In order to offer a high level of security Hdiv does not use a random token per session but creates a new token for each requested page instead. Even tokens used by links and forms within the same page are different, preventing reuse of link tokens to exploit a web form. One token is created for data retrieval requests (GET, HEAD, TRACE and OPTIONS HTTP methods) and another for data modification (POST, PATCH, PUT and DELETE methods).

covered RISK COVERED

A9

USING COMPONENTS WITH KNOWN VULNERABILITIES

Although Hdiv can not update out of date versions of software used by the web applications, the web information flow control system impedes the exploitation of known and unknown vulnerabilities within the software. In many cases (see: Struts cancel vulnerability) risks are based on an unexpected use of a web application. Hdiv does not allow the original contract to be broken and so it is more difficult to exploit existing risks.

covered RISK COVERED

A10

UNVALIDATED REDIRECTS AND FORWARDS

This vulnerability is mainly related to the manipulation of data generated previously at the server side. Hdiv controls all the data from the server, preventing redirection to malicious websites.

covered RISK COVERED



Hdiv REPELS
90% of application security risks
included in the OWASP Top 10


Learn about our product