Stinger News

From OWASP
Jump to: navigation, search
Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

  • Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
  • Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
  • Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
  • Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
  • The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
  • The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
  • Removed the "DisplayMessage" action as it is not very useful
  • Added better logging throughout the code base

You can get the latest Stinger release here.

Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

  • We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
   <name>file</name>
   <regex>filetext</regex>
   <exclude>../</exclude>
...
  • The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

  • Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

Click here for the Stinger 2.x release page.

Stinger 3.0 Status Update! - 17:58, 1 January 2007 (EST)

After many hard hours, I am proud to announce that several features have been implemented in the Stinger 3.0 baseline. This one of several milestones necessary to make Stinger a commercial quality product.

The following is a list of notable changes:

  • Validation of the entire HTTP request: including URI, headers, cookies, and parameters
  • A robust "learning" mode to make rule generation simplistic and efficient.
  • A more flexible "Action" framework. Actions will be able to execute logic before and/or after the request is processed by the web application

If you have any suggestions for Stinger 3.0, please post them on the Stinger 3.0 ideas page.

Stinger 2.2 Released! - 13:37, 24 November 2006 (EST)

The OWASP Stinger project is pleased to announce the immediate availability of Stinger 2.2 for both JDK 5.0 and JDK 1.4! The following is a list of the notable changes:

  • Implemented a more complete MutableHttpRequest object and removed the MutableHttpResponse object.
  • The rule set 'paths' are implemented used regular expressions. There is no longer a need to define multiple paths for specific rule sets.
  • The 'created' and 'enforce' paths for cookie rules are implemented using regular expressions. There is no longer a need to define multiple 'enforce' paths.
  • The introduction of an 'exclude' set defining paths that should not be processed by Stinger.
  • Implemented log rolling capabilities in the 'Log' action.
  • Added a 'Forward' action which can forward request processing to a specified page.
  • Used the HTML entity encoding function found in the HTML Entity Encoding article.

A special thanks goes out to John Callaway for his work in expanding the 'Log' action capabilities as well as the JDK 1.4 port.

Project Pages Revamped and Stinger 3.0 - 09:55, 23 November 2006 (EST)

The OWASP Stinger project pages are currently being "revamped" to be visually clean and make navigation more intuitive. Furthermore, Stinger 3.0 development is underway! Make sure to post any ideas you would like to see implemented in the new version at the OWASP Stinger 3.0 Project page.