OWASP Validation Documentation Project
The most overlooked module in web applications is the input validation mechanism. Unfortunately, most developers are either unaware of the consequences or simply find developing input validation mechanisms “too hard”. Ever hear of a bank reporting that they've have several thousand credit card numbers stolen? Ever hear of the 'MySpace' worm? These issues would not exist had application developers implemented input validation correctly. Therefore, it is the goal of this document to provide a clear and detailed set of principals that should be incorporated in the development of an application specific input validation mechanism.
The OWASP Validation Documentation in word document form can be found here.
The online version of the OWASP Validation Documentation can be found here
Online Version Released - 16:16, 12 September 2006 (EDT)
In an attempt to fully open the validation documentation to the OWASP community, the paper will now be maintained via Mediawiki. The online version of the validation documentation can be found here. We encourage contributions and edits. We will periodically build word document version of the validation documentation when appropriate.
New version of the OWASP Validation Documentation Posted - 10:48, 14 August 2006 (EDT)
The most notable difference is that this version is in the Microsoft Word file format. Second, this version addresses a few obvious grammatical errors as well as the overuse of the phrase 'consider the case'. In the near future, the validation documentation will be posted in Wiki format such that anyone can openly contribute.
OWASP Validation Documentation rough draft released! - 18:22, 4 August 2006 (EDT)
The OWASP Validation Project is pleased to announce the immediate availability of the OWASP Validation Documentation rough draft. The documentation is the result of a tireless effort to provide clear design goals when implementing input validation in web applications. The following is the document abstract:
Correctly implementing an input validation mechanism for a custom application is extremely difficult. It is then inevitable that large web applications will fall victim to this class of vulnerability. Therefore, a developer should have a clear understanding of how to successfully design and implement a reusable input validation mechanism for their applications. The OWASP Validation Documentation attempts to fulfill this requirement by providing the necessary design principals as well as an example implementation. This document is structured such that if a developer were to incorporate all of the presented design principals, then the result will be a complete and reusable input validation engine.
Feedback and Participation
We hope you find the Validation Documentation useful. Please contribute back to the project by sending your comments, questions, and suggestions to Eric Sheridan