Difference between HDIV and ESAPI

Kumar picture Kumar · Jan 7, 2015 · Viewed 6.9k times · Source

I am planing to develop a web application using Spring MVC and trying to figure out which is the best library to use to over come Top 10 OWASP issue. I came to see two HDIV and ESAPI, can any one please help me to understand the difference between them.

Thank you for your help.

Answer

rbelasko picture rbelasko · Jan 20, 2015

First of all I think the approach and scope of both web application security frameworks is different. In some of the aspects they can be also complementary solutions that can be used together.

Regarding the approach, HDIV tries to automate security best practices through the integration with web frameworks. In order to implement this approach, HDIV has been integrated within some of the most used Java/JVM web frameworks such as: Spring MVC, Grails, JSF, Struts 1, Struts 2. It’s important to note that if your application uses web frameworks tags to render links and forms, HDIV does not require any change within the source code, just a declarative configuration (XML or Java config based configuration).

On the other hand, ESAPI offers a number of utilities (APIs) that developers must use within their source code. In other words, the programmer has to include manually all this utilities in their source code. ESAPI is not web framework dependent and can be used in any web application because it's not integrated with web frameworks.

Regarding the scope, HDIV does not cover some of the features offered by ESAPI and also is limited to the supported web frameworks. It's important to note that some of these features are already covered by web frameworks (Struts, Spring MVC,...) or by solutions like Spring Security:

  • Authentication and session management: covered by application servers and Spring Security
  • Output Encoding: covered by web frameworks tags (in that case Spring MVC) to avoid XSS (escape functions). Not covered for other kind of encoding like encoding to avoid SQL Injection.
  • Cryptographic functions: covered by Spring Security (http://docs.spring.io/spring-security/site/docs/3.1.7.RELEASE/reference/crypto.html) or also ESAPI. I haven’t compared both frameworks but it seems they are similar.
  • Parameter-specific input validation: covered by all web frameworks (Struts, Spring MVC, etc.)

HDIV was designed as a complement to the security features offered by Java EE, Spring Security and web frameworks.

In order to understand more deeply the differences between HDIV and ESAPI I will try to compare the features to cover OWASP top ten web risks with both frameworks. I have included the features included within ESAPI 2.x and ESAPI 3.x at github (https://github.com/ESAPI).

A1- Injection:

  • HDIV: regarding HTTP parameters’ values, urls and cookies HDIV reduce the risk of this vulnerability to only the data that come from text fields within forms, applying integrity validations for the rest of the data that come from client side (assures the received value is the same as the generated at server side). For text fields included within forms, HDIV offers generic validations (whitelist and blacklist) in order to avoid injection attacks.
  • ESAPI: manual input validation for each parameter. This feature is useful but is already offered by almost all web frameworks. In addition to that, SQL encoding features to encode the SQL programmatically before the query execution.

A2-Broken Authentication and Session Management:

  • HDIV: does not offer functionalities for this web risk. We recommend to use Spring Security for authentication and the application server features (Servlets specification) for session management.
  • ESAPI: offers utilities that must be used programmatically by programmers.

A3-XSS: the same as A1 but in that case to avoid XSS risks.

  • HDIV: regarding HTTP parameters’ values and urls HDIV reduce the risk of this vulnerability to only the data that come from text fields within forms, applying integrity validations for the rest of the data that come from client side (assures the received value is the same as the generated at server side). For text fields included within forms, HDIV offers generic validations (whitelist and blacklist) in order to avoid injection attacks injection attacks. HDIV does not include any output encoding feature and delegate this responsibility to web frameworks tags, in this case Spring MVC.
  • ESAPI: includes manual input validation for each parameter. This feature is useful but is already offered by almost all web frameworks. Also offers Output encoding features for output encoding. This encoder must be used by programmers within source code.

A4-Insecure Direct Object References:

  • HDIV: controls all the data generated at server side (processed by framework tags) ensuring the integrity of the data and eliminating this risk. Does not require any source code change within supported web frameworks. It's important to note that HDIV supports different methods to manage the recollected information: cipher (the state is sent ciphered within the response), memory (the state is stored within HttpSession), hash (the hash of the state is stored in HttpSession and the content within the web response).
  • ESAPI: it’s necessary to create a map to include each parameter programmatically and store it in session.
    (http://www.jtmelton.com/2010/05/10/the-owasp-top-ten-and-esapi-part-5-insecure-direct-object-reference/). This feature is included within ESAPI 2.x but I haven’t found within ESAPI 3.x.

A5-Security misconfiguration:

  • HDIV: doesn’t include specific functionalities for that but does not allow the access to resources not sent by the server previously, avoiding the exploitation of unexpected behaviors or access to private resources.
  • ESAPI: I haven’t found any feature but I am not an expert in ESAPI.

A6-Sensitive Data Exposure:

A7-Missing Function Level Access Control :

  • HDIV: thanks to the integrity validations implemented by HDIV, avoids the exploitation of this web risk and limit the use only URLs generated previously by the server, maintaining the original contract offered by the application.
  • ESAPI: offers an API to implement it programmatically. As far as I know It’s similar to the features offered by Spring Security that must be used by programmers within source code to securize each URL.

A8-Cross-Site Request Forgery (CSRF):

  • HDIV: adds aleatory tokens to avoid this vulnerability to each form thanks to the HDIV integration with web frameworks form tags.
  • ESAPI: offers an API to generate tokens. This tokens must be added by programmers manually to each web form.

A9-Using components with known vulnerabilities:

  • HDIV: does not include specific functionalities for that but thanks to the interaction limitations applied by HDIV to the user in many cases is not possible to exploit the known vulnerability.
  • ESAPI: I don’t see any feature within the documentation but I am not an expert in ESAPI.

A10-Unvalidated redirects and forwards: This vulnerability is mainly related to the manipulation of non editable data or data generated previously at server side and it’s very similar to A4.

  • HDIV: controls all the data sent by the server and doesn't allow the redirection to malicious web sites.
  • ESAPI: the solution offered by ESAPI will be the same as the offered for A4 (AccessReferenceMap ) that must be used within the source code.

Roberto Velasco Sarasola (HDIV team)