Stinger News

Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:


 * We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:

...   file filetext ../ ...
 * The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:


 * Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

Click here for the Stinger 2.x release page.

'''Stinger 3.0 Status Update! - 17:58, 1 January 2007 (EST)'''

After many hard hours, I am proud to announce that several features have been implemented in the Stinger 3.0 baseline. This one of several milestones necessary to make Stinger a commercial quality product.

The following is a list of notable changes:


 * Validation of the entire HTTP request: including URI, headers, cookies, and parameters
 * A robust "learning" mode to make rule generation simplistic and efficient.
 * A more flexible "Action" framework. Actions will be able to execute logic before and/or after the request is processed by the web application

If you have any suggestions for Stinger 3.0, please post them on the Stinger 3.0 ideas page.

'''Stinger 2.2 Released! - 13:37, 24 November 2006 (EST)'''

The OWASP Stinger project is pleased to announce the immediate availability of Stinger 2.2 for both JDK 5.0 and JDK 1.4! The following is a list of the notable changes:


 * Implemented a more complete MutableHttpRequest object and removed the MutableHttpResponse object.
 * The rule set 'paths' are implemented used regular expressions. There is no longer a need to define multiple paths for specific rule sets.
 * The 'created' and 'enforce' paths for cookie rules are implemented using regular expressions. There is no longer a need to define multiple 'enforce' paths.
 * The introduction of an 'exclude' set defining paths that should not be processed by Stinger.
 * Implemented log rolling capabilities in the 'Log' action.
 * Added a 'Forward' action which can forward request processing to a specified page.
 * Used the HTML entity encoding function found in the HTML Entity Encoding article.

A special thanks goes out to John Callaway for his work in expanding the 'Log' action capabilities as well as the JDK 1.4 port.

Project Pages Revamped and Stinger 3.0 - 09:55, 23 November 2006 (EST)

The OWASP Stinger project pages are currently being "revamped" to be visually clean and make navigation more intuitive. Furthermore, Stinger 3.0 development is underway! Make sure to post any ideas you would like to see implemented in the new version at the OWASP Stinger 3.0 Project page.