Difference between revisions of "Category:OWASP Validation Project"

From OWASP
Jump to: navigation, search
(PHP)
(News)
Line 10: Line 10:
  
 
=News=
 
=News=
 +
 +
'''Stinger 2.0 Beta I released!'''
 +
 +
The OWASP Validation Project is pleased to announce the immediate availability of Stinger 2.0 Beta I. Stinger, a J2EE input validation filter, is the result of a tireless effort to provide a thorough implementation of input validation in web applications. We would like to thank the OWASP community for many of the new features implemented in this release.
 +
 +
New Features:
 +
 +
:* Simplified request validation: only validate cookies and parameters
 +
:* Centralized method of defining regular expressions in the SVDL file.
 +
:* The ability to define global actions to be taken for parameters without an associated rule
 +
:* Action based implementation: basic framework for implementing your own custom actions. Several common actions provided
 +
:* Implemented a negative security model to be applied on top of the positive security model.
 +
:* And More!
 +
 +
Current Issues/ToDo's:
 +
 +
:* Stinger 2.0 is still considered highly developmental. Not for production systems yet.
 +
:* The 'Mail' action has not been fully tested
 +
:* The 'DisplayMessage' action does not handle more than one message per HTML table
 +
:* Negative Security regular expression are not defined
 +
 +
For a complete understanding of all the features implemented in Stinger, please refer to the ‘Stinger Implementation’ section of the OWASP Validation Documentation
  
 
  '''Fortify Software Donates Vulnerability Research Project - 09:35, 31 July 2006 (EDT)'''
 
  '''Fortify Software Donates Vulnerability Research Project - 09:35, 31 July 2006 (EDT)'''

Revision as of 17:13, 4 August 2006

Contents

Overview

Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, query string, cookies, form fields, and hidden fields.

Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.

The OWASP Validation Project was created by Jeff Williams and is currently maintained by Eric Sheridan.

News

Stinger 2.0 Beta I released!

The OWASP Validation Project is pleased to announce the immediate availability of Stinger 2.0 Beta I. Stinger, a J2EE input validation filter, is the result of a tireless effort to provide a thorough implementation of input validation in web applications. We would like to thank the OWASP community for many of the new features implemented in this release.

New Features:

  • Simplified request validation: only validate cookies and parameters
  • Centralized method of defining regular expressions in the SVDL file.
  • The ability to define global actions to be taken for parameters without an associated rule
  • Action based implementation: basic framework for implementing your own custom actions. Several common actions provided
  • Implemented a negative security model to be applied on top of the positive security model.
  • And More!

Current Issues/ToDo's:

  • Stinger 2.0 is still considered highly developmental. Not for production systems yet.
  • The 'Mail' action has not been fully tested
  • The 'DisplayMessage' action does not handle more than one message per HTML table
  • Negative Security regular expression are not defined

For a complete understanding of all the features implemented in Stinger, please refer to the ‘Stinger Implementation’ section of the OWASP Validation Documentation

Fortify Software Donates Vulnerability Research Project - 09:35, 31 July 2006 (EDT)

Fortify software as graciously donated a comprehensive set of software security research material to OWASP. The research material provides an in-depth analysis of 115 software vulnerabilities which can be found at the OWASP Honeycomb Project homepage. The category of particular interest is, of course, the Input Validation Vulnerability. The OWASP Community is strongly encouraged to donate to this milestone project. Once the current set of projects is completed, it is the goal of the OWASP Validation Project to contribute to the vast and quickly growing OWASP Honeycomb Project.

OWASP Validation Documentation Delayed - 09:07, 23 July 2006 (EDT)

Unfortunately, the OWASP Validation Documentation has been delayed for roughly a week. The good news, however, is the reason for the delay. A new project, entitled Poseidon, is currently in development. Poseidon will greatly simplify the generation of an SVDL file through the use of your own web based application! Look for a rough draft of the validation documentation near the end of the week.

Project Stinger 2.0 is Underway! - 11:44, 10 July 2006 (EDT)

One of the goals of the OWASP Validation Project is updating and improving the Java validation engine, Stinger. This update will include the many submitted ideas/patches over the past several years on top of a completely rewritten engine. If you have any ideas/patches that you would like to have reviewed for submission, please contact Eric Sheridan.

OWASP Validation Finds a New Project Lead - 11:44, 10 July 2006 (EDT)

Thanks to Jeff Williams, Eric Sheridan is now the lead of the OWASP Validation Project. The project will be moving forward in the next few weeks. Refer to the road map for short term goals and deadlines. Stay tuned!

Project Roadmap

The three major goals of the OWASP Validation Project are the following:

  1. build an input validation guide
  2. provide and implement input validation mechanisms for various platforms
  3. rewrite Stinger to incorporate the design principals in the guide

The OWASP Validation Roadmap contains the latest information as to project goals and targeted release dates.

Guide to Building Input Validation

One of the major goals of the OWASP Validation Project is to provide clear and detailed documentation on building input validation mechanisms for your web application needs. In the near future, this section will contain such documentation. Check back soon!

Implementation

The second major goal of the OWASP Validation Project is to provide input validation mechanisms which adhere to one or more of the design principals outlined in the 'Input Validation Guide'. If you have a project which fits this requirement, please submit it via email to the project lead.

Java

The Stinger library is a full J2EE Validation Engine which strongly adheres to the principal's outline in the 'Input Validation Guide'. More information can be found on the Stinger Project page at http://www.owasp.org/index.php/OWASP_Stinger_Project

.NET

One of the goals of the OWASP Validation Project is to implement Stinger 2.0 on the .NET platform. If you are interested in leading this project, please contact Eric Sheridan.

Please refer to the project road map for an estimated time of arrival.

PHP

The PHP Filters Project provides an API framework for validating input for various purposes. The project can be found here.

OWASP Recently released the OWASP Top 5, an article illustrating several attack vectors against PHP applications. The majority of the PHP Top 5 can be alleviated with a solid and well defined validation mechanism.

RegEx Repository

The OWASP RegEx Repository contains a multitude of regular expressions for common data types. Developers implementing input validation engines should review these regular expressions. Save the time of developing a complicated regular expression that currently exists!

Project Sponsor

The OWASP Validation project is sponsored by Aspect_logo.gif

Subcategories

This category has the following 4 subcategories, out of 4 total.

O

Media in category "OWASP Validation Project"

This category contains only the following file.