This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:OWASP Stinger Project

Revision as of 16:40, 29 January 2007 by Esheridan (talk | contribs) (Stinger News)

Jump to: navigation, search


Developers consistently implement sporadic, ad-hoc input validation mechanisms for web applications. Lack of a centralized and well-defined input validation mechanism opens the application to a variety of attacks: including SQL Injection, Cross Site Scripting (XSS), and Command Injection. The OWASP Stinger Project aims to develop a centralized input validation component which can be easily applied to existing or developmental applications. Using a declarative security model, Stinger has the ability to validate all HTTP requests coming into an application. Stinger is such a simplistic yet strong validation engine that organizations have begun integrating it into their software development life-cycle.

Project Lead

The OWASP Stinger Project is led by Eric Sheridan


Stinger is offered under the LGPL. For further information on OWASP licenses, please consult the OWASP Licenses page.


  • Click here to view the OWASP Stinger 1.x Project page
  • Click here to view the OWASP Stinger 2.x Project page
  • Click here to view the OWASP Stinger 3.x Project page

Stinger News

Stinger 2.4 RC1 Released - 11:40, 29 January 2007 (EST)

The OWASP Stinger Project is proud to release Stinger 2.4 RC1. This release is largely intended to address some code quality issues.

The following is a list of notable changes:

  • We now allow for an "exclude" option for each parameter. After defining a regular expression for a parameter, we can now define strings that should *NOT* exist within the input. For example, let us assume our regular expression accepts all numbers, characters, a period, and a slash (/). However, note that "aaa../../etc/passwd" would be considered a valid input. Therefore, we can specify an "exclude" tag to prevent such input:
  • The "invalidate" action will properly clear the cookie from the user's browser.

The current list of tasks to complete is as follows:

  • Remove the absolute path dependence when specifying the Stinger configuration file in web.xml

As always, let me know if you have any suggestions for improving the Stinger 2.4 release!

Click here for the Stinger 2.x release page.

Stinger 3.0 Status Update! - 17:59, 1 January 2007 (EST)

After many hard hours, I am proud to announce that several features have been implemented in the Stinger 3.0 baseline. This one of several milestones necessary to make Stinger a solid and robust engine.

The following is a list of notable changes:

  • Validation of the entire HTTP request: including URI, headers, cookies, and parameters
  • A robust "learning" mode to make rule generation simplistic and efficient.
  • A more flexible "Action" framework. Actions will be able to execute logic before and/or after the request is processed by the web application

If you have any suggestions for Stinger 3.0, please post them on the Stinger 3.0 ideas page.

Click here for old news...

Feedback and Participation

We hope you find Stinger useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Stinger mailing list. Thanks!

To join the OWASP Stinger mailing list or view the archives, please visit the subscription page.


The Open Web Application Security Project is purely an open-source community driven effort. As such, all projects and research efforts are contributed and maintained with an individual's spare time. If you have found this or any other project useful, please support OWASP with a donation.

Project Sponsors

The OWASP Stinger project is sponsored by Aspect_logo.gif.

Pages in category "OWASP Stinger Project"

The following 5 pages are in this category, out of 5 total.