Category:OWASP Validation Project

From OWASP
Revision as of 12:52, 25 May 2006 by Weilin Zhong (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, querystring, cookies, form fields, and hidden fields.

Currently, there are several projects underway to create validation technologies for various technologies. Long term, the project plan is to isolate the validation rules from the engine that implements them, and to provide validation engines for the popular web application environments.


Contents

Java

The Stinger library is a full HTTP validation engine. It can be used as a library or as a J2EE filter. The full details are on the OWASP Stinger project page.


Regex

OWASP has started a repository for useful regular expressions. These expressions are an extremely powerful way to represent a complex set of validation rules. For example, ^/d[5]$ means to match a string of five digits exactly.

 <?xml version="1.0"?> 
 
 <regex>
 	<name>url</name>
 	<pattern>^((((https?|ftps?|gopher|telnet|nntp)://)|(mailto:%7Cnews:))(%[0-9A-Fa-f]{2}|[-()_.!~*';/?:@&=+$,A-Za-z0-9])+)([).!';/?:,]blank:)?$</pattern>
 	<description></description>
 </regex>
 
 <regex>
 	<name>email</name>
 	<pattern>^[\w\-\+\&\*]+(?:\.[\w\-\+\&\*]+)*@(?:[\w-]+\.)+[a-zA-Z]{2,7}$</pattern>
 	<description></description>
 </regex>
 
 <regex>
 	<name>safetext</name>
 	<pattern>^[a-zA-Z0-9\s.\-]+$</pattern>
 	<description>Lower and upper case letters and all digits</description>
 </regex>
 
 <regex>
 	<name>digitwords</name>
 	<pattern>^(zero|one|two|three|four|five|six|seven|eight|nine)$</pattern>
 	<description>The English words representing the digits 0 to 9</description>
 </regex>
 
 <regex>
 	<name>zip</name>
 	<pattern>^\d{5}(-\d{4})?$</pattern>
 	<description>US zip code with optional dash-four</description>
 </regex>
 
 <regex>
 	<name>phone</name>
 	<pattern>^\D?(\d{3})\D?\D?(\d{3})\D?(\d{4})$</pattern>
 	<description>US phone number with or without dashes</description>
 </regex>
 
 <regex>
 	<name>state</name>
 	<pattern>^(AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE|NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|TX|UT|VT|VI|VA|WA|WV|WI|WY)$</pattern>
 	<description>Two letter state abbreviations</description>
 </regex>
 
 <regex>
 	<name>date</name>
 	<pattern>^(?:(?:(?:0?[13578]|1[02])(\/|-|\.)31)\1|(?:(?:0?[1,3-9]|1[0-2])(\/|-|\.)(?:29|30)\2))(?:(?:1[6-9]|[2-9]\d)?\d{2})$|^(?:0?2(\/|-|\.)29\3(?:(?:(?:1[6-9]|[2-9]\d)?(?:0[48]|[2468][048]|[13579][26])|(?:(?:16|[2468][048]|[3579][26])00))))$|^(?:(?:0?[1-9])|(?:1[0-2]))(\/|-|\.)(?:0?[1-9]|1\d|2[0-8])\4(?:(?:1[6-9]|[2-9]\d)?\d{2})$</pattern>
 	<description>Date in US format with support for leap years</description>
 </regex>
 
 <regex>
 	<name>creditcard</name>
 	<pattern>^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$</pattern>
 	<description></description>
 </regex>
 
 <regex>
 	<name>password</name>
 	<pattern>^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$</pattern>
 	<description>4 to 8 character password requiring numbers, lowercase letters, and uppercase letters</description>
 </regex>
 
 <regex>
 	<name>ssn</name>
 	<pattern>^\d{3}-\d{2}-\d{4}$</pattern>
 	<description>9 digit social security number with dashes</description>
 </regex>
 
 <regex>
 	<name>monthwords</name>
 	<pattern>^(Jan|Feb|Mar|Apr|May|Jun|Jul|Apr|Sep|Oct|Nov|Dec)$</pattern>
 	<description>3 character abbreviations for the months</description>
 </regex>
 
 <!— Some additional examples that have not been vetted
 
      // HTML HEX CODE   ^#?([a-f]|[A-F]|[0-9]){3}(([a-f]|[A-F]|[0-9]){3})?$
      // FLOATING POINT   ^[-+]?[0-9]+[.]?[0-9]*([eE][-+]?[0-9]+)?$
      // PERSON NAME   ^[a-zA-Z]+(([\'\,\.\- ][a-zA-Z ])?[a-zA-Z]*)*$
      // MAC ADDRESS  ^([0-9a-fA-F][0-9a-fA-F]:){5}([0-9a-fA-F][0-9a-fA-F])$
      // GUID    ^[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}$
      // IP ADDRESS  ^\b((25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\.){3}(25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)\b$
      // REASONABLE DOMAIN NAME   ^([a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,6}$
      // RFC 1918 NON ROUTABLE IP   ^(((25[0-5]|2[0-4][0-9]|19[0-1]|19[3-9]|18[0-9]|17[0-1]|17[3-9]|1[0-6][0-9]|1[1-9]|[2-9][0-9]|[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9]))|(192\.(25[0-5]|2[0-4][0-9]|16[0-7]|169|1[0-5][0-9]|1[7-9][0-9]|[1-9][0-9]|[0-9]))|(172\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|1[0-5]|3[2-9]|[4-9][0-9]|[0-9])))\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])$
      // VALID WINDOWS FILENAME  ^(?!^(PRN|AUX|CLOCK\$|NUL|CON|COM\d|LPT\d|\..*)(\..+)?$)[^\x00-\x1f\\?*:\";|/]+$
      // Java Classname  ^(([a-z])+.)+[A-Z]([a-z])+$
      //  ANY PLATFORM FILENAME   ^(([a-zA-Z]:|\\)\\)?(((\.)|(\.\.)|([^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?))\\)*[^\\/:\*\?"\|<>\. ](([^\\/:\*\?"\|<>\. ])|([^\\/:\*\?"\|<>]*[^\\/:\*\?"\|<>\. ]))?$
 -->

PHP

PHP Filter

WebScarab

WebScarab Parameter Parser

News and Status

 Wed Nov 17 15:27:39 EST 2004
 The validation project was started to pull together a number of validation related articles, tools, and techniques for a variety of technologies under one umbrella.
 The validation project is run by the OWASP Germany Chapter. The project leader and coordinator is Ali Mabrouk.

Feedback and Participation

We hope you find the Validation project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Validation mailing list. Thanks!

To join the OWASP Validation mailing list or view the archives, please visit the subscription page.

Subcategories

This category has the following 4 subcategories, out of 4 total.

O

Media in category "OWASP Validation Project"

This category contains only the following file.