OWASP - User contributions [en]

Category:OWASP Stinger Project

2009-04-20T14:38:54Z

Weswest: /* Stinger News */

==Overview==

Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

==Project Lead==

The OWASP Stinger Project is looking for a new leader! If you are interested, please contact [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Versions==

:*[[OWASP Stinger Version 2|Click here]] to view the OWASP Stinger 2.x Project page
:*'''''Deprecated''''' [[OWASP Stinger Version 1|Click here]] to view the OWASP Stinger 1.x Project page
:*'''''Defunct''''' [[OWASP Stinger Version 3|Click here]] to view the OWASP Stinger 3.x Project page

==Stinger News==

'''Latest version available! - 25 March 2009 '''

Well, I have updated the site with version 2.2.2 of Stinger for JDK 1.4. There have been some questions about why I have updated from version 2.2, rather than 2.5. This is because I have only been working with the version supporting JDK 1.4, as that's what my environments are. This version includes the fix to the MutableHTTPRequest to support multiple parameter values, as well as the fix to address the multipart vulnerability as included in 2.5.

I am trying to get the request object changes made to the later code to allow for a 2.6 release. But my schedule isn't allowing me much time to work on Stinger lately.

'''Major Flaw: New versions coming soon! - 26 August 2008 '''

In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.

'''Security Fix: Stinger 2.5 Released - 13:32, 12 August 2007 (EDT)'''

Meder Kydyraliev recently brought to my attention a flawed assumption in the implementation of a J2EE filter-based input validation solution. Much of the J2EE HttpServletRequest API assumes the content of a POST request is form-urlencoded. Calls like "getParameter(String)" and "getParameterNames()" will only return values of a form-urlencoded POST request. Consequently, these API will return nothing of the body of the request is multipart encoded, allowing the attacker to bypass filter-based validation.

[http://www.owasp.org/index.php/Bypassing_servlet_input_validation_filters_%28OWASP_Stinger_%2B_Struts_example%29 Click here] for the original write-up provided by Meder Kydyraliev.

[http://www.owasp.org/index.php/OWASP_Stinger_Version_2 Click here] to download Stinger 2.5

'''Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)'''

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

:*Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
:*Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
:*Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
:*Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
:*The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
:*The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
:*Removed the "DisplayMessage" action as it is not very useful
:*Added better logging throughout the code base

You can get the latest Stinger release [http://www.owasp.org/index.php/OWASP_Stinger_2_Releases here].

'''Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)'''

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

:* We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
<name>file</name>
<regex>filetext</regex>
<exclude>../</exclude>
...
:* The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

:* Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] for the Stinger 2.x release page.

'''[http://www.owasp.org/index.php/Stinger_News Click here for old news...]'''

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

None at this time
[[Category:OWASP Validation Project]]

Category:OWASP Stinger Project

2009-04-17T17:18:14Z

Weswest: /* Project Lead */

==Overview==

Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

==Project Lead==

The OWASP Stinger Project is looking for a new leader! If you are interested, please contact [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Versions==

:*[[OWASP Stinger Version 2|Click here]] to view the OWASP Stinger 2.x Project page
:*'''''Deprecated''''' [[OWASP Stinger Version 1|Click here]] to view the OWASP Stinger 1.x Project page
:*'''''Defunct''''' [[OWASP Stinger Version 3|Click here]] to view the OWASP Stinger 3.x Project page

==Stinger News==

'''Latest version available! - 25 March 2009 '''

Well, I have updated the site with version 2.2.2 of Stinger for JDK 1.4.

'''Major Flaw: New versions coming soon! - 26 August 2008 '''

In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.

'''Security Fix: Stinger 2.5 Released - 13:32, 12 August 2007 (EDT)'''

Meder Kydyraliev recently brought to my attention a flawed assumption in the implementation of a J2EE filter-based input validation solution. Much of the J2EE HttpServletRequest API assumes the content of a POST request is form-urlencoded. Calls like "getParameter(String)" and "getParameterNames()" will only return values of a form-urlencoded POST request. Consequently, these API will return nothing of the body of the request is multipart encoded, allowing the attacker to bypass filter-based validation.

[http://www.owasp.org/index.php/Bypassing_servlet_input_validation_filters_%28OWASP_Stinger_%2B_Struts_example%29 Click here] for the original write-up provided by Meder Kydyraliev.

[http://www.owasp.org/index.php/OWASP_Stinger_Version_2 Click here] to download Stinger 2.5

'''Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)'''

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

:*Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
:*Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
:*Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
:*Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
:*The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
:*The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
:*Removed the "DisplayMessage" action as it is not very useful
:*Added better logging throughout the code base

You can get the latest Stinger release [http://www.owasp.org/index.php/OWASP_Stinger_2_Releases here].

'''Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)'''

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

:* We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
<name>file</name>
<regex>filetext</regex>
<exclude>../</exclude>
...
:* The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

:* Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] for the Stinger 2.x release page.

'''[http://www.owasp.org/index.php/Stinger_News Click here for old news...]'''

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

None at this time
[[Category:OWASP Validation Project]]

Category:OWASP Stinger Project

2009-03-25T17:53:59Z

Weswest: /* Versions */

==Overview==

Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Versions==

:*[[OWASP Stinger Version 2|Click here]] to view the OWASP Stinger 2.x Project page
:*'''''Deprecated''''' [[OWASP Stinger Version 1|Click here]] to view the OWASP Stinger 1.x Project page
:*'''''Defunct''''' [[OWASP Stinger Version 3|Click here]] to view the OWASP Stinger 3.x Project page

==Stinger News==

'''Latest version available! - 25 March 2009 '''

Well, I have updated the site with version 2.2.2 of Stinger for JDK 1.4.

'''Major Flaw: New versions coming soon! - 26 August 2008 '''

In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.

'''Security Fix: Stinger 2.5 Released - 13:32, 12 August 2007 (EDT)'''

Meder Kydyraliev recently brought to my attention a flawed assumption in the implementation of a J2EE filter-based input validation solution. Much of the J2EE HttpServletRequest API assumes the content of a POST request is form-urlencoded. Calls like "getParameter(String)" and "getParameterNames()" will only return values of a form-urlencoded POST request. Consequently, these API will return nothing of the body of the request is multipart encoded, allowing the attacker to bypass filter-based validation.

[http://www.owasp.org/index.php/Bypassing_servlet_input_validation_filters_%28OWASP_Stinger_%2B_Struts_example%29 Click here] for the original write-up provided by Meder Kydyraliev.

[http://www.owasp.org/index.php/OWASP_Stinger_Version_2 Click here] to download Stinger 2.5

'''Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)'''

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

:*Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
:*Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
:*Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
:*Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
:*The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
:*The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
:*Removed the "DisplayMessage" action as it is not very useful
:*Added better logging throughout the code base

You can get the latest Stinger release [http://www.owasp.org/index.php/OWASP_Stinger_2_Releases here].

'''Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)'''

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

:* We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
<name>file</name>
<regex>filetext</regex>
<exclude>../</exclude>
...
:* The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

:* Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] for the Stinger 2.x release page.

'''[http://www.owasp.org/index.php/Stinger_News Click here for old news...]'''

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

None at this time
[[Category:OWASP Validation Project]]

OWASP Stinger Version 2

2009-03-25T17:42:48Z

Weswest: /* Project Sponsors */

==Overview==

The J2EE platform does not include any validation features. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

OWASP Stinger 2.x is an implementation of the design principals detailed in the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project OWASP Validation Documentation]. The basic idea is to define validation rules for the cookies and parameters of an HTTP request. These rules are specified in simple XML files using the 'Security Validation Definition Language.' Furthermore, Stinger 2 is implemented as a J2EE filter such that all HTTP traffic is validated ''before'' it is ever processed by the web application.

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Downloads==

:*[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] to view all OWASP Stinger 2.x releases
:*[http://www.owasp.org/index.php/OWASP_Stinger_Manual Click here] to view the OWASP Stinger 2.x Manual

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

None at this time.

[[Category:OWASP Stinger Project]]

File:Stinger-2.2.2-Release-JDK1.4.jar

2009-03-25T17:41:41Z

Weswest: uploaded a new version of "Image:Stinger-2.2.2-Release-JDK1.4.jar"

OWASP Stinger Version 2

2009-03-25T17:40:29Z

Weswest: /* Downloads */

==Overview==

The J2EE platform does not include any validation features. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

OWASP Stinger 2.x is an implementation of the design principals detailed in the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project OWASP Validation Documentation]. The basic idea is to define validation rules for the cookies and parameters of an HTTP request. These rules are specified in simple XML files using the 'Security Validation Definition Language.' Furthermore, Stinger 2 is implemented as a J2EE filter such that all HTTP traffic is validated ''before'' it is ever processed by the web application.

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Downloads==

:*[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] to view all OWASP Stinger 2.x releases
:*[http://www.owasp.org/index.php/OWASP_Stinger_Manual Click here] to view the OWASP Stinger 2.x Manual

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

The OWASP Stinger project is sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].

[[Category:OWASP Stinger Project]]

Category:OWASP Stinger Project

2009-03-25T17:39:35Z

Weswest: /* Stinger News */

==Overview==

Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Versions==

:*[[OWASP Stinger Version 1|Click here]] to view the OWASP Stinger 1.x Project page
:*[[OWASP Stinger Version 2|Click here]] to view the OWASP Stinger 2.x Project page
:*[[OWASP Stinger Version 3|Click here]] to view the OWASP Stinger 3.x Project page

==Stinger News==

'''Latest version available! - 25 March 2009 '''

Well, I have updated the site with version 2.2.2 of Stinger for JDK 1.4.

'''Major Flaw: New versions coming soon! - 26 August 2008 '''

In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.

'''Security Fix: Stinger 2.5 Released - 13:32, 12 August 2007 (EDT)'''

Meder Kydyraliev recently brought to my attention a flawed assumption in the implementation of a J2EE filter-based input validation solution. Much of the J2EE HttpServletRequest API assumes the content of a POST request is form-urlencoded. Calls like "getParameter(String)" and "getParameterNames()" will only return values of a form-urlencoded POST request. Consequently, these API will return nothing of the body of the request is multipart encoded, allowing the attacker to bypass filter-based validation.

[http://www.owasp.org/index.php/Bypassing_servlet_input_validation_filters_%28OWASP_Stinger_%2B_Struts_example%29 Click here] for the original write-up provided by Meder Kydyraliev.

[http://www.owasp.org/index.php/OWASP_Stinger_Version_2 Click here] to download Stinger 2.5

'''Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)'''

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

:*Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
:*Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
:*Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
:*Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
:*The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
:*The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
:*Removed the "DisplayMessage" action as it is not very useful
:*Added better logging throughout the code base

You can get the latest Stinger release [http://www.owasp.org/index.php/OWASP_Stinger_2_Releases here].

'''Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)'''

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

:* We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
<name>file</name>
<regex>filetext</regex>
<exclude>../</exclude>
...
:* The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

:* Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] for the Stinger 2.x release page.

'''[http://www.owasp.org/index.php/Stinger_News Click here for old news...]'''

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

None at this time
[[Category:OWASP Validation Project]]

OWASP Stinger 2 Releases

2009-03-25T17:27:22Z

Weswest: /* Stinger 2.2 - Latest Build! */

==Stinger 2.2.2 - Latest Build!==
Fixed fundamental issues with request objects and included multipart check from 2.5

===JDK 1.4===

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.jar Click here] to download Stinger 2.2 Release for JDK 1.4

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.zip Click here] to download Stinger 2.2 Release Eclipse Project for JDK 1.4

==Stinger 2.5==

=== JDK 5.0 ===

[https://www.owasp.org/index.php/Image:Stinger-2.5.jar Click here] to download Stinger 2.5 for JDK 5.0

[https://www.owasp.org/index.php/Image:Stinger-2.5.zip Click here] to download Stinger 2.5 Eclipse Project for JDK 5.0

==Stinger 2.4==

=== JDK 5.0 ===

[https://www.owasp.org/index.php/Image:Stinger-2.4.jar Click here] to download Stinger 2.4 for JDK 5.0

[https://www.owasp.org/index.php/Image:Stinger-2.4.zip Click here] to download Stinger 2.4 Eclipse Project for JDK 5.0

==Stinger 2.4 RC1==

=== JDK 5.0 ===

[http://www.owasp.org/index.php/Image:Stinger-2.4-RC1-20070129.jar Click here] to download Stinger 2.4 RC1 for JDK 5.0

[http://www.owasp.org/index.php/Image:Stinger-2.4-RC1.zip Click here] to download Stinger 2.4 RC1 Eclipse Project for JDK 5.0

==Stinger 2.2==

===JDK 5.0===

[http://www.owasp.org/index.php/Image:Stinger-2.2-Release-JDK5.0.jar Click here] to download Stinger 2.2 Release for JDK 5.0

[http://www.owasp.org/index.php/Image:Stinger-2.2-Release-JDK5.0.zip Click here] to download Stinger 2.2 Release Eclipse Project for JDK 5.0

===JDK 1.4===

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.jar Click here] to download Stinger 2.2 Release for JDK 1.4

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.zip Click here] to download Stinger 2.2 Release Eclipse Project for JDK 1.4

==Stinger 2.0==

===JDK 5.0===

[http://www.owasp.org/index.php/Image:Stinger-2.0-Lite-Release-JDK5-20061102.jar Click here] to download Stinger 2.0 Release for JDK 5.0

[http://www.owasp.org/index.php/Image:Stinger-2.0-Lite-Release-JDK50.zip Click here] to download the Stinger 2.0 Release Eclipse Project!

==Stinger 2.0 Development==

===JDK 5.0===

[http://www.owasp.org/releases/Stinger/2.0rc1/Stinger-2.0-Lite-rc1-20060926.jar Click here] to download the Stinger 2.0 RC1 deployment jar file!

[http://www.owasp.org/releases/Stinger/2.0rc1/Stinger-2.0-Lite.zip Click here] to download the Stinger 2.0 RC1 Eclipse project!

[http://www.owasp.org/releases/Stinger/2.0beta1/Stinger2.0Beta1.2.zip Click here] to download Stinger 2.0 Beta 1!

File:Stinger-2.2.2-Release-JDK1.4.zip

2009-03-25T17:24:46Z

Weswest: uploaded a new version of "Image:Stinger-2.2.2-Release-JDK1.4.zip"

Category:OWASP Stinger Project

2009-03-25T17:16:50Z

Weswest: /* Project Sponsors */

==Overview==

Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Versions==

:*[[OWASP Stinger Version 1|Click here]] to view the OWASP Stinger 1.x Project page
:*[[OWASP Stinger Version 2|Click here]] to view the OWASP Stinger 2.x Project page
:*[[OWASP Stinger Version 3|Click here]] to view the OWASP Stinger 3.x Project page

==Stinger News==

'''Major Flaw: New versions coming soon! - 26 August 2008 '''

In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.

'''Security Fix: Stinger 2.5 Released - 13:32, 12 August 2007 (EDT)'''

Meder Kydyraliev recently brought to my attention a flawed assumption in the implementation of a J2EE filter-based input validation solution. Much of the J2EE HttpServletRequest API assumes the content of a POST request is form-urlencoded. Calls like "getParameter(String)" and "getParameterNames()" will only return values of a form-urlencoded POST request. Consequently, these API will return nothing of the body of the request is multipart encoded, allowing the attacker to bypass filter-based validation.

[http://www.owasp.org/index.php/Bypassing_servlet_input_validation_filters_%28OWASP_Stinger_%2B_Struts_example%29 Click here] for the original write-up provided by Meder Kydyraliev.

[http://www.owasp.org/index.php/OWASP_Stinger_Version_2 Click here] to download Stinger 2.5

'''Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)'''

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

:*Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
:*Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
:*Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
:*Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
:*The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
:*The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
:*Removed the "DisplayMessage" action as it is not very useful
:*Added better logging throughout the code base

You can get the latest Stinger release [http://www.owasp.org/index.php/OWASP_Stinger_2_Releases here].

'''Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)'''

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

:* We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
<name>file</name>
<regex>filetext</regex>
<exclude>../</exclude>
...
:* The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

:* Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] for the Stinger 2.x release page.

'''[http://www.owasp.org/index.php/Stinger_News Click here for old news...]'''

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

None at this time
[[Category:OWASP Validation Project]]

OWASP Stinger Version 3

2009-03-25T17:15:43Z

Weswest: /* Overview */

==Overview==

'''Development work on version 3 never got much past the concept stage as there was significant work to do to stabilize the previous versions and correct some problems. '''
The J2EE platform does not include any validation features. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The 3.x series will mark the inclusion of web application firewall specific features. OWASP Stinger 3.x will have some of the following notable features:

:* Validation of the entire HTTP request: including URI, headers, cookies, and parameters
:* A robust "learning" mode to make rule generation simplistic and efficient.
:* A full web application dedicated to editing the OWASP Stinger configuration files

Check out the full list of new features being implemented at the [http://www.owasp.org/index.php/OWASP_Stinger_3_Ideas OWASP Stinger 3.x ideas page].

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Downloads==

:*[http://www.owasp.org/index.php/OWASP_Stinger_3_Ideas Click here] to view the OWASP Stinger 3.x ideas page!
:* Due to the development status of Stinger 3.0, no downloads currently exist.

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

The OWASP Stinger project is sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].

[[Category:OWASP Stinger Project]]

OWASP Stinger Version 3

2009-03-25T17:15:17Z

Weswest: /* Overview */

==Overview==

Development work on version 3 never got much past the concept stage as there was significant work to do to stabilize the previous versions and correct some problems.

The J2EE platform does not include any validation features. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The 3.x series will mark the inclusion of web application firewall specific features. OWASP Stinger 3.x will have some of the following notable features:

:* Validation of the entire HTTP request: including URI, headers, cookies, and parameters
:* A robust "learning" mode to make rule generation simplistic and efficient.
:* A full web application dedicated to editing the OWASP Stinger configuration files

Check out the full list of new features being implemented at the [http://www.owasp.org/index.php/OWASP_Stinger_3_Ideas OWASP Stinger 3.x ideas page].

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Downloads==

:*[http://www.owasp.org/index.php/OWASP_Stinger_3_Ideas Click here] to view the OWASP Stinger 3.x ideas page!
:* Due to the development status of Stinger 3.0, no downloads currently exist.

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

The OWASP Stinger project is sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].

[[Category:OWASP Stinger Project]]

OWASP Stinger 2 Releases

2008-11-12T15:47:42Z

Weswest:

==Stinger 2.2 - Latest Build!==

===JDK 1.4===

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.jar Click here] to download Stinger 2.2 Release for JDK 1.4

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.zip Click here] to download Stinger 2.2 Release Eclipse Project for JDK 1.4

==Stinger 2.5==

=== JDK 5.0 ===

[https://www.owasp.org/index.php/Image:Stinger-2.5.jar Click here] to download Stinger 2.5 for JDK 5.0

[https://www.owasp.org/index.php/Image:Stinger-2.5.zip Click here] to download Stinger 2.5 Eclipse Project for JDK 5.0

==Stinger 2.4==

=== JDK 5.0 ===

[https://www.owasp.org/index.php/Image:Stinger-2.4.jar Click here] to download Stinger 2.4 for JDK 5.0

[https://www.owasp.org/index.php/Image:Stinger-2.4.zip Click here] to download Stinger 2.4 Eclipse Project for JDK 5.0

==Stinger 2.4 RC1==

=== JDK 5.0 ===

[http://www.owasp.org/index.php/Image:Stinger-2.4-RC1-20070129.jar Click here] to download Stinger 2.4 RC1 for JDK 5.0

[http://www.owasp.org/index.php/Image:Stinger-2.4-RC1.zip Click here] to download Stinger 2.4 RC1 Eclipse Project for JDK 5.0

==Stinger 2.2==

===JDK 5.0===

[http://www.owasp.org/index.php/Image:Stinger-2.2-Release-JDK5.0.jar Click here] to download Stinger 2.2 Release for JDK 5.0

[http://www.owasp.org/index.php/Image:Stinger-2.2-Release-JDK5.0.zip Click here] to download Stinger 2.2 Release Eclipse Project for JDK 5.0

===JDK 1.4===

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.jar Click here] to download Stinger 2.2 Release for JDK 1.4

[http://www.owasp.org/index.php/Image:Stinger-2.2.2-Release-JDK1.4.zip Click here] to download Stinger 2.2 Release Eclipse Project for JDK 1.4

==Stinger 2.0==

===JDK 5.0===

[http://www.owasp.org/index.php/Image:Stinger-2.0-Lite-Release-JDK5-20061102.jar Click here] to download Stinger 2.0 Release for JDK 5.0

[http://www.owasp.org/index.php/Image:Stinger-2.0-Lite-Release-JDK50.zip Click here] to download the Stinger 2.0 Release Eclipse Project!

==Stinger 2.0 Development==

===JDK 5.0===

[http://www.owasp.org/releases/Stinger/2.0rc1/Stinger-2.0-Lite-rc1-20060926.jar Click here] to download the Stinger 2.0 RC1 deployment jar file!

[http://www.owasp.org/releases/Stinger/2.0rc1/Stinger-2.0-Lite.zip Click here] to download the Stinger 2.0 RC1 Eclipse project!

[http://www.owasp.org/releases/Stinger/2.0beta1/Stinger2.0Beta1.2.zip Click here] to download Stinger 2.0 Beta 1!

File:Stinger-2.2.2-Release-JDK1.4.jar

2008-11-12T15:39:43Z

Weswest:

File:Stinger-2.2.2-Release-JDK1.4.zip

2008-11-12T15:35:11Z

Weswest:

OWASP Stinger Version 1

2008-08-26T18:44:18Z

Weswest: /* Downloads */

==Overview==

The J2EE platform does not include any validation features. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient. The basic idea is to define validation rules for the headers, cookies, and parameters of an HTTP request. These rules are specified in simple XML files using the 'Security Validation Definition Language.'

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Downloads==

The 1.x version is no longer maintained or supported.

:*[http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=130521 Click here] to download the latest version of the OWASP Stinger 1.x series
:*[http://www.owasp.org/index.php/How_to_Build_an_HTTP_Request_Validation_Engine_for_Your_J2EE_Application Click here] to read about the OWASP Stinger 1.0 implementation

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

The OWASP Stinger project is sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].

[[Category:OWASP Stinger Project]]

Category:OWASP Stinger Project

2008-08-26T16:18:06Z

Weswest: /* Stinger News */

==Overview==

Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

==Project Lead==

The OWASP Stinger Project leader is [mailto:Wesley.M.West@ge.com Wesley West].

==License==

Stinger is offered under the [http://www.gnu.org/copyleft/lesser.html LGPL]. For further information on OWASP licenses, please consult the [[OWASP Licenses]] page.

==Versions==

:*[[OWASP Stinger Version 1|Click here]] to view the OWASP Stinger 1.x Project page
:*[[OWASP Stinger Version 2|Click here]] to view the OWASP Stinger 2.x Project page
:*[[OWASP Stinger Version 3|Click here]] to view the OWASP Stinger 3.x Project page

==Stinger News==

'''Major Flaw: New versions coming soon! - 26 August 2008 '''

In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.

'''Security Fix: Stinger 2.5 Released - 13:32, 12 August 2007 (EDT)'''

Meder Kydyraliev recently brought to my attention a flawed assumption in the implementation of a J2EE filter-based input validation solution. Much of the J2EE HttpServletRequest API assumes the content of a POST request is form-urlencoded. Calls like "getParameter(String)" and "getParameterNames()" will only return values of a form-urlencoded POST request. Consequently, these API will return nothing of the body of the request is multipart encoded, allowing the attacker to bypass filter-based validation.

[http://www.owasp.org/index.php/Bypassing_servlet_input_validation_filters_%28OWASP_Stinger_%2B_Struts_example%29 Click here] for the original write-up provided by Meder Kydyraliev.

[http://www.owasp.org/index.php/OWASP_Stinger_Version_2 Click here] to download Stinger 2.5

'''Stinger 2.4 Released - 13:58, 21 May 2007 (EDT)'''

The OWASP Stinger Project is proud to release Stinger 2.4. As noted in RC1, this release is intended to address code quality issues as well as implement several community suggested updates. The following is a list of notable changes:

:*Backported the Stinger 3.0 "DROP/CONTINUE/PROCESS" doAction() logic. No need for "BreakChainException"
:*Cleaned up some code quality issues (removed all instances of System.out and printStackTrace, using interfaces properly, fixed synchronization issues)
:*Added the ability to define an "exclude" list which searches for patterns within a pattern. For example, if we allow the character '.' and the character '/', we may want to prevent instances of '../'. This can now be done by adding an "<exclude>../</exclude>" tag underneath the "<regex></regex>" element of a rule. See the example "stinger.xml" file included with the Stinger Eclipse project for more information.
:*Modified the Log action to hashsession ID's before logging them as well as fixed "getHandler()" property default bug
:*The inclusion of the "exclude-set" value which tells Stinger to do nothing with these pages. Useful for patterns that cover too much (ex. *.*)
:*The stinger.xml file is expected to be found relative to /WEB-INF. This means that we simply set the filter-init "config" parameter to "stinger.xml" rather than "C:\Documents and Settings....\WEB-INF\stinger.xml"
:*Removed the "DisplayMessage" action as it is not very useful
:*Added better logging throughout the code base

You can get the latest Stinger release [http://www.owasp.org/index.php/OWASP_Stinger_2_Releases here].

'''Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)'''

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

:* We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
...
<rule>
<name>file</name>
<regex>filetext</regex>
<exclude>../</exclude>
...
:* The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

:* Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

[http://www.owasp.org/index.php/OWASP_Stinger_2_Releases Click here] for the Stinger 2.x release page.

'''[http://www.owasp.org/index.php/Stinger_News Click here for old news...]'''

==Feedback and Participation ==

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-stinger subscription page].

==Donations==

The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's ''spare time.'' If you have found this or any other project useful, please support OWASP with a [https://www.owasp.org/index.php/Contributions donation].

==Project Sponsors==

The OWASP Stinger project is sponsored by [http://www.aspectsecurity.com https://www.owasp.org/images/d/d1/Aspect_logo.gif].

[[Category:OWASP Validation Project]]