The Open Web Application Security Project (OWASP) is a worldwide, nonprofit organization focused on improving the security of software. It functions as an online community that creates freely available articles, methodologies, documentation, tools, and technologies.
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
|A3||Sensitive Data Exposure|
|A4||XML External Entities (XXE)|
|A5||Broken Access Control|
|A7||Cross-Site Scripting (XSS)|
|A9||Using Components with Known Vulnerabilities|
|A10||Insufficient Logging & Monitoring|
The source of the problem of SQL injection risk is based on SQL queries which have not been parametrized (without PreparedStatement in Java environments). First of all Hdiv minimizes the existence of untrusted data, due to the web information flow control system avoiding the manipulation of data generated by the server side. This architecture only minimizes the risk to new data generated legally from editable form elements. It is important to note that even using a PreparedStatement, if the query is based on untrusted data generated previously at the server side (e.g. ID of an item within a list) an SQL injection risk is possible.
In addition Hdiv implements an internal system that detects SQL Injection risks within source code.
Hdiv offers several features to minimize sensitive data exposure. Our products include confidentiality to all data generated at the server side. Hdiv replaces original parameter values generated on the server side by relative values (0,1,2,4, etc.) to avoid exposing critical data to the client. Additionally, Hdiv is able to hide (partially o completely) sensitive data depending on the user profile while keeping track of the usage of each user and to detect vulnerabilities, such as sending plain text creditcard numbers or similar errors.
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Hdiv actively protects applications against XML External Entities (XXE) attacks.
Hdiv flow control ensures data integrity, nullifying this risk. Hdiv’s web information flow control system controls all data generated at the server side ensuring its integrity. An additional option makes it possible to ensure the confidentiality of data generated at the server side, avoiding exposure of critical data such as credit cards, etc. Hdiv guarantees integrity (no modification) of all data generated by the server which should not be modified by the client (links, hidden fields, combo values, radio buttons, etc.). Thanks to this feature, Hdiv helps to eliminate vulnerabilities which can be exploited by parameter tampering.
Current application security architectures do not follow security by default. On the contrary, programmers must apply security measures to avoid access to private or confidential resources. The information flow control system implemented by Hdiv allows control of the resources (links and forms) exposed by the application, and prevents breaking the original contract from the server. In other words, even when the developer does not use access control systems or ACL (Java EE or Spring Security) Hdiv is able to know which resource is legally accessible by each user.
The source of the problem of XSS risks is based on the generation of HTML output that uses non-escaped untrusted data. First of all, Hdiv minimizes the existence of untrusted data, thanks to the web information flow control system it implements. This minimizes the risk to new data generated legally from editable form elements.
In addition, Hdiv implements an internal system that detects XSS risks within source code.
It is a technical risk that concerns how the application uses serialization either directly, or by using existing framework facilities. At a technical level, its philosophy relies primarily on a varietal of code injection that is surfaced when the affected piece of data is serialized.
Hdiv offers protection for Insecure Deserialization attacks by default, detecting any attack that tries to execute remote code based on this vulnerability.
Although Hdiv can not update out of date versions of software used by the web applications, the web information flow control system impedes the exploitation of known and unknown vulnerabilities within the software. In many cases (see: Struts cancel vulnerability) risks are based on an unexpected use of a web application. Hdiv does not allow the original contract to be broken and so it is more difficult to exploit existing risks.
Hdiv gives a centralized monitoring web console providing real-time visibility into actual attacks. It logs actionable information about attacks and suspicious activity and sends alerts through several types of alert systems: email, syslog, Slack, etc. It is integrated with 3rd party systems, such as task management solutions (JIRA, Asana, EasyVista) and SIEM (Security Information and Event Management) systems, providing better management of detected incidents and a faster response to attacks.