Category:OWASP Stinger Project

Overview
Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

Project Lead
The OWASP Stinger Project is led by [mailto:eric.sheridan@owasp.org Eric Sheridan]

License
Stinger is offered under the LGPL. For further information on OWASP licenses, please consult the OWASP Licenses page.

Versions

 * Click here to view the OWASP Stinger 1.x Project page
 * Click here to view the OWASP Stinger 2.x Project page
 * Click here to view the OWASP Stinger 3.x Project page

Stinger News
'''Stinger 3.0 Status Update! - 17:59, 1 January 2007 (EST)'''

After many hard hours, I am proud to announce that several features have been implemented in the Stinger 3.0 baseline. This one of several milestones necessary to make Stinger a solid and robust engine.

The following is a list of notable changes:


 * Validation of the entire HTTP request: including URI, headers, cookies, and parameters
 * A robust "learning" mode to make rule generation simplistic and efficient.
 * A more flexible "Action" framework. Actions will be able to execute logic before and/or after the request is processed by the web application

If you have any suggestions for Stinger 3.0, please post them on the Stinger 3.0 ideas page.

'''Stinger 2.2 Released! - 13:37, 24 November 2006 (EST)'''

The OWASP Stinger project is pleased to announce the immediate availability of Stinger 2.2 for both JDK 5.0 and JDK 1.4! The following is a list of the notable changes:


 * Implemented a more complete MutableHttpRequest object and removed the MutableHttpResponse object.
 * The rule set 'paths' are implemented used regular expressions. There is no longer a need to define multiple paths for specific rule sets.
 * The 'created' and 'enforce' paths for cookie rules are implemented using regular expressions. There is no longer a need to define multiple 'enforce' paths.
 * The introduction of an 'exclude' set defining paths that should not be processed by Stinger.
 * Implemented log rolling capabilities in the 'Log' action.
 * Added a 'Forward' action which can forward request processing to a specified page.
 * Used the HTML entity encoding function found in the HTML Entity Encoding article.

A special thanks goes out to John Callaway for his work in expanding the 'Log' action capabilities as well as the JDK 1.4 port.

Click here for old news...

Feedback and Participation
We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the subscription page.

Donations
The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's spare time. If you have found this or any other project useful, please support OWASP with a donation.

Project Sponsors
The OWASP Stinger project is sponsored by https://www.owasp.org/images/d/d1/Aspect_logo.gif.