This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Validation Project"

From OWASP
Jump to: navigation, search
 
(19 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
{{:Template:Orphaned Projects}}
 +
 +
==== Main  ====
 +
 
=Overview=
 
=Overview=
  
Line 7: Line 11:
 
Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.
 
Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.
  
The OWASP Validation Project was created by Jeff Williams and is currently maintained by [mailto:eric.sheridan@owasp.org Eric Sheridan].
+
The OWASP Validation Project is need of a leader! Contact owasp 'at' owasp.org if you are interested!
  
 
= Feedback and Participation: =
 
= Feedback and Participation: =
Line 15: Line 19:
 
=News=
 
=News=
  
  '''OWASP Stinger Project Needs Your Help! - 16:37, 12 September 2006 (EDT)'''
+
  '''Rough Draft of the Validation Questionnaire Released! - 14:05, 23 January 2007 (EST)'''
  
One of the new features available in Stinger 2.0 is the ability to apply a negative security model on top of a positive security model. There are cases when the positive model becomes too open and a negative security model is necessary. The OWASP Stinger Project is in need of regular expressions which can be used to thwart potential input validation attacks, such as cross site scripting and SQL Injection. One such example would look for the words ''document.cookie''in the parameter value. This obvious cross site scripting attack would then be caught by the negative security model and the appropriate action(s) taken place. If you have any regular expressions which you would like to donate to the OWASP Validation Project, please contact [mailto:eric.sheridan@owasp.org Eric Sheridan].
+
The OWASP Validation Project is pleased to announce the rough draft release of the "Validation Questionnaire." The purpose of this document is to aide developers in performing a basic level of input validation threat modeling. If we can clearly define our application's sources of input and the potential risk associated with each source, then we can better implement an appropriate input validation scheme. Please feel free to offer suggestions for improvement!
  
'''OWASP Validation Documentation now maintained in Mediawiki! - 16:18, 12 September 2006 (EDT)'''
+
[http://www.owasp.org/index.php/Image:ValidationQuestionnaire.doc Click here] to download the validation questionnaire.
  
In an attempt to fully open the validation documentation to the OWASP community, the paper will now be maintained via Mediawiki. The online version of the validation documentation can be found [http://www.owasp.org/index.php/OWASP_Validation_Documentation here]. We encourage contributions and edits. We will periodically build word document version of the validation documentation when appropriate.
+
'''New OWASP J2EE Filters Released! - 10:07, 5 January 2007 (EST)'''
  
'''Announcing Minor Releases for both Stinger and the Validation Documentation - 11:15, 14 August 2006 (EDT)'''
+
The OWASP Community has released two brand new J2EE Filters! Both of the new filters attempt to address current hot topics is the web application security community.
  
The OWASP Validation Project is pleased to announce the immediate availability of maintenance releases for both [http://www.owasp.org/index.php/OWASP_Stinger_Project Stinger] and the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project Validation Documentation].  
+
:*'''[http://www.owasp.org/index.php/CSRF_Guard OWASP CSRF Guard]''' - protects a web application from Cross-Site Request Forgery attacks through the use of a unique random request token
 +
:*'''[http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE PDF Attack Filter]''' - protects a web application from the recently discovered [http://www.gnucitizen.org/blog/danger-danger-danger/ XSS-PDF Flaw] through the use of a redirect trick
  
Check out their respective project pages for more information.
+
If you have any suggestions or comments for either filter, please email your comments to [mailto:owasp@owasp.org owasp@owasp.org]
  
'''Stinger 2.0 Beta I and OWASP Validation Documentation Released! - 18:53, 4 August 2006 (EDT)'''
+
'''[http://www.owasp.org/index.php/Validation_News Click here for old news...]'''
 
 
The OWASP Validation Project is pleased to announce the immediate availability of Stinger 2.0 Beta I as well as a rough draft of the OWASP Validation Documentation. Both projects are the result of a tireless effort to provide a clear and defined process of implementing input validation in web applications. The Validation Project would like to thank everyone for their continuing support. More information on can be found at the [http://www.owasp.org/index.php/OWASP_Stinger_Project Stinger] project page and the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project OWASP Validation Documentation] project page.
 
 
 
:* Note: These projects are still in the development stage. Testing and feedback would be greatly appreciated!
 
 
 
'''Fortify Software Donates Vulnerability Research Project - 09:35, 31 July 2006 (EDT)'''
 
 
 
Fortify software as graciously donated a comprehensive set of software security research material to OWASP. The research material provides an in-depth analysis of 115 software vulnerabilities which can be found at the [http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project OWASP Honeycomb Project] homepage. The category of particular interest is, of course, the [http://www.owasp.org/index.php/Category:Input_Validation_Vulnerability Input Validation Vulnerability].  The OWASP Community is strongly encouraged to donate to this milestone project. Once the current set of projects is completed, it is the goal of the OWASP Validation Project to contribute to the vast and quickly growing [http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project OWASP Honeycomb Project].
 
 
 
'''OWASP Validation Documentation Delayed - 09:07, 23 July 2006 (EDT)'''
 
 
 
Unfortunately, the OWASP Validation Documentation has been delayed for roughly a week. The good news, however, is the reason for the delay. A new project, entitled '''Poseidon''', is currently in development. Poseidon will greatly simplify the generation of an SVDL file through the use of your own web based application! Look for a rough draft of the validation documentation near the end of the week.
 
 
 
'''Project Stinger 2.0 is Underway! - 11:44, 10 July 2006 (EDT)'''
 
 
 
One of the goals of the OWASP Validation Project is updating and improving the Java validation engine, Stinger. This update will include the many submitted ideas/patches over the past several years on top of a completely rewritten engine. If you have any ideas/patches that you would like to have reviewed for submission, please contact [mailto:eric.sheridan@owasp.org Eric Sheridan].
 
 
 
'''OWASP Validation Finds a New Project Lead - 11:44, 10 July 2006 (EDT)'''
 
 
 
Thanks to Jeff Williams, Eric Sheridan is now the lead of the OWASP Validation Project. The project will be moving forward in the next few weeks. Refer to the road map for short term goals and deadlines. Stay tuned!
 
  
 
=Project Roadmap=
 
=Project Roadmap=
Line 57: Line 42:
 
:# build an input validation guide
 
:# build an input validation guide
 
:# provide and implement input validation mechanisms for various platforms
 
:# provide and implement input validation mechanisms for various platforms
:# rewrite Stinger to incorporate the design principals in the guide
+
:# rewrite Stinger to incorporate the design principles in the guide
  
 
The [http://www.owasp.org/index.php/OWASP_Validation_Project_Roadmap OWASP Validation Roadmap] contains the latest information as to project goals and targeted release dates.
 
The [http://www.owasp.org/index.php/OWASP_Validation_Project_Roadmap OWASP Validation Roadmap] contains the latest information as to project goals and targeted release dates.
Line 67: Line 52:
 
=Implementation=
 
=Implementation=
  
The second major goal of the OWASP Validation Project is to provide input validation mechanisms which adhere to one or more of the design principals outlined in the 'Input Validation Guide'. If you have a project which fits this requirement, please submit it via email to the project lead.
+
The second major goal of the OWASP Validation Project is to provide input validation mechanisms which adhere to one or more of the design principles outlined in the 'Input Validation Guide'. If you have a project which fits this requirement, please submit it via email to the project lead.
  
 
==OWASP Validation Documentation==
 
==OWASP Validation Documentation==
  
The primary purpose of the OWASP Validation Documentation project is to provide the design principals necessary to build an effective input validation engine. More can be found [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project here].
+
The primary purpose of the OWASP Validation Documentation project is to provide the design principles necessary to build an effective input validation engine. More can be found [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project here].
  
 
==Java==
 
==Java==
  
The Stinger library is a full J2EE Validation Engine which strongly adheres to the principal's outline in the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project Validation Documentation]. More information can be found on the Stinger Project page at http://www.owasp.org/index.php/OWASP_Stinger_Project
+
The Stinger library is a full J2EE Validation Engine which strongly adheres to the principle's outline in the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project Validation Documentation]. More information can be found on the Stinger Project page at http://www.owasp.org/index.php/OWASP_Stinger_Project
 +
 
 +
Most modern Java web frameworks include their own data validation features.  All of these can validate user data in GET and POST requests, but usually do not validate cookie data.  Web frameworks that provide their own validation features include:
 +
* [http://struts.apache.org Apache Struts]
 +
* [http://www.opensymphony.com/webwork/wikidocs/Validation.html WebWork]
 +
* [http://www.springframework.org/docs/reference/validation.html Spring MVC]
 +
* [http://java.sun.com/javaee/javaserverfaces/ Java Server Faces]
 +
* [http://labs.jboss.com/portal/jbossseam/?prjlist=false JBoss Seam]
  
 
==.NET==
 
==.NET==
Line 92: Line 84:
  
 
The majority of the PHP Top 5 can be alleviated with a solid and well defined validation mechanism.
 
The majority of the PHP Top 5 can be alleviated with a solid and well defined validation mechanism.
 +
 +
==Classic ASP==
 +
Stinger 1.0 was migrated to pure classic ASP VBScript code, See [[OWASP_Stinger_Version_1]] for more information on this version. Notice that ASP version loads only one rules file per page for easy of use for developers. If you need diferent rulesets for a sigle page use programatic rules. You can download this project [http://www.owasp.org/images/b/b2/StingerASP1.0.zip here].
  
 
==RegEx Repository==
 
==RegEx Repository==
Line 102: Line 97:
 
[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
 
[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
  
 +
==== Project Details ====
 +
{{:GPC Project Details/OWASP Validation Project | OWASP Project Identification Tab}}
 +
 +
__NOTOC__ <headertabs />
 +
 +
 +
[[Category:OWASP Project|Validation Project]]
 +
[[Category:OWASP Tool]]
 +
[[Category:OWASP Download]]
  
[[Category:OWASP Project]]
+
__NOTOC__

Latest revision as of 15:29, 6 October 2009

Attention icon.png

This Project has been identified as an orphaned one. If you find interest in assuming its lead, please contact the Global Projects Committee.

Attention icon.png

Main

Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, query string, cookies, form fields, and hidden fields.

Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.

The OWASP Validation Project is need of a leader! Contact owasp 'at' owasp.org if you are interested!

Subcategories

This category has the following 2 subcategories, out of 2 total.

O

Media in category "OWASP Validation Project"

This category contains only the following file.