Category:OWASP Validation Project

Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, querystring, cookies, form fields, and hidden fields.

Currently, there are several projects underway to create validation technologies for various technologies. Long term, the project plan is to isolate the validation rules from the engine that implements them, and to provide validation engines for the popular web application environments.

=Java=

The Stinger library is a full HTTP validation engine. It can be used as a library or as a J2EE filter. The full details are on the OWASP Stinger project page.

=Regex=

OWASP has started a repository for useful regular expressions. These expressions are an extremely powerful way to represent a complex set of validation rules. For example, ^/d[5]$ means to match a string of five digits exactly.

 url ^((((https?|ftps?|gopher|telnet|nntp)://)|(mailto:|news:))(%[0-9A-Fa-f]{2}|[-_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,]blank:)?$  	 email   	 ^[\w\-\+\&\*]+(?:\.[\w\-\+\&\*]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$   	 safetext   	 ^[a-zA-Z0-9\s.\-]+$   	 Lower and upper case letters and all digits   	 digitwords   	 ^(zero|one|two|three|four|five|six|seven|eight|nine)$   	 The English words representing the digits 0 to 9   	 zip   	 ^\d{5}(-\d{4})?$   	 US zip code with optional dash-four   	 phone   	 ^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$   	 US phone number with or without dashes   	 state   	 ^(AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE|NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|TX|UT|VT|VI|VA|WA|WV|WI|WY)$   	 Two letter state abbreviations   	 date   	 ^(?:(?:(?:0?[13578]|1[02])(\/|-|\.)31)\1|(?:(?:0?[1,3-9]|1[0-2])(\/|-|\.)(?:29|30)\2))(?:(?:1[6-9]|[2-9]\d)?\d{2})$|^(?:0?2(\/|-|\.)29\3(?:(?:(?:1[6-9]|[2-9]\d)?(?:0[48]|[2468][048]|[13579][26])|(?:(?:16|[2468][048]|[3579][26])00))))$|^(?:(?:0?[1-9])|(?:1[0-2]))(\/|-|\.)(?:0?[1-9]|1\d|2[0-8])\4(?:(?:1[6-9]|[2-9]\d)?\d{2})$ Date in US format with support for leap years creditcard ^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$ password ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$ 4 to 8 character password requiring numbers, lowercase letters, and uppercase letters ssn ^\d{3}-\d{2}-\d{4}$ 9 digit social security number with dashes monthwords ^(Jan|Feb|Mar|Apr|May|Jun|Jul|Apr|Sep|Oct|Nov|Dec)$ 3 character abbreviations for the months <!— Some additional examples that have not been vetted // HTML HEX CODE  ^#?([a-f]|[A-F]|[0-9]){3}(([a-f]|[A-F]|[0-9]){3})?$ // FLOATING POINT  ^[-+]?[0-9]+[.]?[0-9]*([eE][-+]?[0-9]+)?$ // PERSON NAME  ^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$ // MAC ADDRESS ^([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])$ // GUID   ^[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}$ // IP ADDRESS ^\b((25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\.){3}(25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\b$ // REASONABLE DOMAIN NAME  ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$ // RFC 1918 NON ROUTABLE IP  ^(((25[0-5]|2[0-4][0-9]|19[0-1]|19[3-9]|18[0-9]|17[0-1]|17[3-9]|1[0-6][0-9]|1[1-9]|[2-9][0-9]|[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]))|(192\.(25[0-5]|2[0-4][0-9]|16[0-7]|169|1[0-5][0-9]|1[7-9][0-9]|[1-9][0-9]|[0-9]))|(172\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|1[0-5]|3[2-9]|[4-9][0-9]|[0-9])))\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$ // VALID WINDOWS FILENAME ^(?!^(PRN|AUX|CLOCK\$|NUL|CON|COM\d|LPT\d|\..*)(\..+)?$)[^\x00-\x1f\\?*:\";|/]+$       // Java Classname  ^(([a-z])+.)+[A-Z]([a-z])+$       //  ANY PLATFORM FILENAME   ^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$ -->

=PHP= PHP Filter

=WebScarab=

WebScarab Parameter Parser

=News and Status=

Wed Nov 17 15:27:39 EST 2004 The validation project was started to pull together a number of validation related articles, tools, and techniques for a variety of technologies under one umbrella. The validation project is run by the OWASP Germany Chapter. The project leader and coordinator is Ali Mabrouk.

=Feedback and Participation =

We hope you find the Validation project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Validation mailing list. Thanks!

To join the OWASP Validation mailing list or view the archives, please visit the subscription page.