Category:OWASP Validation Project
Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.
The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, query string, cookies, form fields, and hidden fields.
Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.
The OWASP Validation Project was created by Jeff Williams and is currently maintained by Eric Sheridan.
Feedback and Participation:
We hope you find the OWASP Validation Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to firstname.lastname@example.org. To join the OWASP Validation Project mailing list or view the archives, please visit the subscription page.
OWASP Stinger Gets a Project Page! - 09:30, 16 December 2006 (EST)
The OWASP Stinger Project has it's own project page. All information pertaining to Stinger (including downloads) can now be found here.
Stinger 2.2 Released! - 13:37, 24 November 2006 (EST)
The OWASP Stinger project is pleased to announce the immediate availability of Stinger 2.2 for both JDK 5.0 and JDK 1.4! The following is a list of the notable changes:
- Implemented a more complete MutableHttpRequest object and removed the MutableHttpResponse object.
- The rule set 'paths' are implemented used regular expressions. There is no longer a need to define multiple paths for specific rule sets.
- The 'created' and 'enforce' paths for cookie rules are implemented using regular expressions. There is no longer a need to define multiple 'enforce' paths.
- The introduction of an 'exclude' set defining paths that should not be processed by Stinger.
- Implemented log rolling capabilities in the 'Log' action.
- Added a 'Forward' action which can forward request processing to a specified page.
- Used the HTML entity encoding function found in the HTML Entity Encoding article.
A special thanks goes out to John Callaway for his work in expanding the 'Log' action capabilities as well as the JDK 1.4 port.
The three major goals of the OWASP Validation Project are the following:
- build an input validation guide
- provide and implement input validation mechanisms for various platforms
- rewrite Stinger to incorporate the design principles in the guide
The OWASP Validation Roadmap contains the latest information as to project goals and targeted release dates.
Guide to Building Input Validation
One of the major goals of the OWASP Validation Project is to provide clear and detailed documentation on building input validation mechanisms for your web application needs. In the near future, this section will contain such documentation. Check back soon!
The second major goal of the OWASP Validation Project is to provide input validation mechanisms which adhere to one or more of the design principles outlined in the 'Input Validation Guide'. If you have a project which fits this requirement, please submit it via email to the project lead.
OWASP Validation Documentation
The primary purpose of the OWASP Validation Documentation project is to provide the design principles necessary to build an effective input validation engine. More can be found here.
The Stinger library is a full J2EE Validation Engine which strongly adheres to the principle's outline in the Validation Documentation. More information can be found on the Stinger Project page at http://www.owasp.org/index.php/OWASP_Stinger_Project
Most modern Java web frameworks include their own data validation features. All of these can validate user data in GET and POST requests, but usually do not validate cookie data. Web frameworks that provide their own validation features include:
One of the goals of the OWASP Validation Project is to implement Stinger 2.0 on the .NET platform.
If you are interested in leading this project, please contact Eric Sheridan.
Please refer to the project road map for an estimated time of arrival.
The PHP Filters Project provides an API framework for validating input for various purposes. The project can be found here.
OWASP Recently released the OWASP Top 5, an article illustrating several attack vectors against PHP applications.
The majority of the PHP Top 5 can be alleviated with a solid and well defined validation mechanism.
The OWASP RegEx Repository contains a multitude of regular expressions for common data types. Developers implementing input validation engines should review these regular expressions. Save the time of developing a complicated regular expression that currently exists!
This category has the following 2 subcategories, out of 2 total.
Pages in category "OWASP Validation Project"
The following 11 pages are in this category, out of 11 total.
Media in category "OWASP Validation Project"
This category contains only the following file.