This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP Validation Project"

From OWASP
Jump to: navigation, search
 
(46 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
{{:Template:Orphaned Projects}}
 +
 +
==== Main  ====
 +
 +
=Overview=
 +
 
Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.
 
Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.
  
The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, querystring, cookies, form fields, and hidden fields.
+
The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, query string, cookies, form fields, and hidden fields.
 +
 
 +
Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.
 +
 
 +
The OWASP Validation Project is need of a leader! Contact owasp 'at' owasp.org if you are interested!
 +
 
 +
= Feedback and Participation: =
 +
 
 +
We hope you find the OWASP Validation Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected].  To join the OWASP Validation Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-validation subscription page.]
 +
 
 +
=News=
 +
 
 +
'''Rough Draft of the Validation Questionnaire Released! - 14:05, 23 January 2007 (EST)'''
 +
 
 +
The OWASP Validation Project is pleased to announce the rough draft release of the "Validation Questionnaire." The purpose of this document is to aide developers in performing a basic level of input validation threat modeling. If we can clearly define our application's sources of input and the potential risk associated with each source, then we can better implement an appropriate input validation scheme. Please feel free to offer suggestions for improvement!
 +
 
 +
[http://www.owasp.org/index.php/Image:ValidationQuestionnaire.doc Click here] to download the validation questionnaire.
 +
 
 +
'''New OWASP J2EE Filters Released! - 10:07, 5 January 2007 (EST)'''
 +
 
 +
The OWASP Community has released two brand new J2EE Filters! Both of the new filters attempt to address current hot topics is the web application security community.
 +
 
 +
:*'''[http://www.owasp.org/index.php/CSRF_Guard OWASP CSRF Guard]''' - protects a web application from Cross-Site Request Forgery attacks through the use of a unique random request token
 +
:*'''[http://www.owasp.org/index.php/PDF_Attack_Filter_for_Java_EE PDF Attack Filter]''' - protects a web application from the recently discovered [http://www.gnucitizen.org/blog/danger-danger-danger/ XSS-PDF Flaw] through the use of a redirect trick
 +
 
 +
If you have any suggestions or comments for either filter, please email your comments to [mailto:[email protected] [email protected]]
 +
 
 +
'''[http://www.owasp.org/index.php/Validation_News Click here for old news...]'''
 +
 
 +
=Project Roadmap=
 +
 
 +
The three major goals of the OWASP Validation Project are the following:
 +
 
 +
:# build an input validation guide
 +
:# provide and implement input validation mechanisms for various platforms
 +
:# rewrite Stinger to incorporate the design principles in the guide
 +
 
 +
The [http://www.owasp.org/index.php/OWASP_Validation_Project_Roadmap OWASP Validation Roadmap] contains the latest information as to project goals and targeted release dates.
 +
 
 +
=Guide to Building Input Validation=
 +
 
 +
One of the major goals of the OWASP Validation Project is to provide clear and detailed documentation on building input validation mechanisms for your web application needs. In the near future, this section will contain such documentation. Check back soon!
 +
 
 +
=Implementation=
 +
 
 +
The second major goal of the OWASP Validation Project is to provide input validation mechanisms which adhere to one or more of the design principles outlined in the 'Input Validation Guide'. If you have a project which fits this requirement, please submit it via email to the project lead.
 +
 
 +
==OWASP Validation Documentation==
 +
 
 +
The primary purpose of the OWASP Validation Documentation project is to provide the design principles necessary to build an effective input validation engine. More can be found [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project here].
 +
 
 +
==Java==
 +
 
 +
The Stinger library is a full J2EE Validation Engine which strongly adheres to the principle's outline in the [http://www.owasp.org/index.php/OWASP_Validation_Documentation_Project Validation Documentation]. More information can be found on the Stinger Project page at http://www.owasp.org/index.php/OWASP_Stinger_Project
 +
 
 +
Most modern Java web frameworks include their own data validation features.  All of these can validate user data in GET and POST requests, but usually do not validate cookie data.  Web frameworks that provide their own validation features include:
 +
* [http://struts.apache.org Apache Struts]
 +
* [http://www.opensymphony.com/webwork/wikidocs/Validation.html WebWork]
 +
* [http://www.springframework.org/docs/reference/validation.html Spring MVC]
 +
* [http://java.sun.com/javaee/javaserverfaces/ Java Server Faces]
 +
* [http://labs.jboss.com/portal/jbossseam/?prjlist=false JBoss Seam]
 +
 
 +
==.NET==
 +
 
 +
One of the goals of the OWASP Validation Project is to implement Stinger 2.0 on the .NET platform.  
  
Currently, there are several projects underway to create validation technologies for various technologies. Long term, the project plan is to isolate the validation rules from the engine that implements them, and to provide validation engines for the popular web application environments.
+
If you are interested in leading this project, please contact [mailto:[email protected] Eric Sheridan].
  
 +
Please refer to the project road map for an estimated time of arrival.
  
=Java=
+
==PHP==
  
The Stinger library is a full HTTP validation engine. It can be used as a library or as a J2EE filter. The full details are on the [[OWASP Stinger project]] page.
+
The PHP Filters Project provides an API framework for validating input for various purposes. The project can be found [http://www.owasp.org/index.php/PHP_Filters here].
  
 +
OWASP Recently released the [http://www.owasp.org/index.php/PHP_Top_5 OWASP Top 5], an article illustrating several attack vectors against PHP applications.
  
=Regex=
+
The majority of the PHP Top 5 can be alleviated with a solid and well defined validation mechanism.
  
OWASP has started a repository for useful regular expressions. These expressions are an extremely powerful way to represent a complex set of validation rules. For example, ^/d[5]$ means to match a string of five digits exactly. For details, please see the [[OWASP Validation Regex Repository]]
+
==Classic ASP==
 +
Stinger 1.0 was migrated to pure classic ASP VBScript code, See [[OWASP_Stinger_Version_1]] for more information on this version. Notice that ASP version loads only one rules file per page for easy of use for developers. If you need diferent rulesets for a sigle page use programatic rules. You can download this project [http://www.owasp.org/images/b/b2/StingerASP1.0.zip here].
  
=PHP=
+
==RegEx Repository==
[[PHP Filter]]
 
  
=WebScarab=
+
The [http://www.owasp.org/index.php/OWASP_Validation_Regex_Repository OWASP RegEx Repository] contains a multitude of regular expressions for common data types. Developers implementing input validation engines should review these regular expressions. Save the time of developing a complicated regular expression that currently exists!
  
[[WebScarab Parameter Parser]]
+
=Project Sponsor=
  
=News and Status=
+
The OWASP Validation project is sponsored by
 +
[http://www.aspectsecurity.com http://www.owasp.org/images/d/d1/Aspect_logo.gif]
  
  Wed Nov 17 15:27:39 EST 2004
+
==== Project Details ====
  The validation project was started to pull together a number of validation related articles, tools, and techniques for a variety of technologies under one umbrella.
+
{{:GPC Project Details/OWASP Validation Project | OWASP Project Identification Tab}}
  The validation project is run by the OWASP Germany Chapter. The project leader and coordinator is Ali Mabrouk.
 
  
=Feedback and Participation =
+
__NOTOC__ <headertabs />
  
We hope you find the Validation project useful. Please contribute back to the project by sending your comments, questions, and suggestions to the Validation mailing list. Thanks!
 
  
To join the OWASP Validation mailing list or view the archives, please visit the [http://lists.sourceforge.net/lists/listinfo/owasp-validation subscription page.]
+
[[Category:OWASP Project|Validation Project]]
 +
[[Category:OWASP Tool]]
 +
[[Category:OWASP Download]]
  
[[Category:OWASP Project]]
+
__NOTOC__

Latest revision as of 15:29, 6 October 2009

Attention icon.png

This Project has been identified as an orphaned one. If you find interest in assuming its lead, please contact the Global Projects Committee.

Attention icon.png

Main

Most web application platforms do not include features to validate user input. This leaves many organizations to craft their own validation mechanisms, often incomplete, flawed, and inefficient.

The OWASP Validation Project was created to provide guidance and tools related to validation. Our philosophy is that validation is required for every part of the HTTP request, including headers, query string, cookies, form fields, and hidden fields.

Currently, there are several projects underway to create validation technologies for various platforms. The long term goal is to provide a detailed guide for implementing proper input validation as well as provide validation engines for popular web application environments.

The OWASP Validation Project is need of a leader! Contact owasp 'at' owasp.org if you are interested!

We hope you find the OWASP Validation Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to [email protected]. To join the OWASP Validation Project mailing list or view the archives, please visit the subscription page.

Rough Draft of the Validation Questionnaire Released! - 14:05, 23 January 2007 (EST)

The OWASP Validation Project is pleased to announce the rough draft release of the "Validation Questionnaire." The purpose of this document is to aide developers in performing a basic level of input validation threat modeling. If we can clearly define our application's sources of input and the potential risk associated with each source, then we can better implement an appropriate input validation scheme. Please feel free to offer suggestions for improvement!

Click here to download the validation questionnaire.

New OWASP J2EE Filters Released! - 10:07, 5 January 2007 (EST)

The OWASP Community has released two brand new J2EE Filters! Both of the new filters attempt to address current hot topics is the web application security community.

  • OWASP CSRF Guard - protects a web application from Cross-Site Request Forgery attacks through the use of a unique random request token
  • PDF Attack Filter - protects a web application from the recently discovered XSS-PDF Flaw through the use of a redirect trick

If you have any suggestions or comments for either filter, please email your comments to [email protected]

Click here for old news...

The three major goals of the OWASP Validation Project are the following:

  1. build an input validation guide
  2. provide and implement input validation mechanisms for various platforms
  3. rewrite Stinger to incorporate the design principles in the guide

The OWASP Validation Roadmap contains the latest information as to project goals and targeted release dates.

One of the major goals of the OWASP Validation Project is to provide clear and detailed documentation on building input validation mechanisms for your web application needs. In the near future, this section will contain such documentation. Check back soon!

The second major goal of the OWASP Validation Project is to provide input validation mechanisms which adhere to one or more of the design principles outlined in the 'Input Validation Guide'. If you have a project which fits this requirement, please submit it via email to the project lead.

OWASP Validation Documentation

The primary purpose of the OWASP Validation Documentation project is to provide the design principles necessary to build an effective input validation engine. More can be found here.

Java

The Stinger library is a full J2EE Validation Engine which strongly adheres to the principle's outline in the Validation Documentation. More information can be found on the Stinger Project page at http://www.owasp.org/index.php/OWASP_Stinger_Project

Most modern Java web frameworks include their own data validation features. All of these can validate user data in GET and POST requests, but usually do not validate cookie data. Web frameworks that provide their own validation features include:

.NET

One of the goals of the OWASP Validation Project is to implement Stinger 2.0 on the .NET platform.

If you are interested in leading this project, please contact Eric Sheridan.

Please refer to the project road map for an estimated time of arrival.

PHP

The PHP Filters Project provides an API framework for validating input for various purposes. The project can be found here.

OWASP Recently released the OWASP Top 5, an article illustrating several attack vectors against PHP applications.

The majority of the PHP Top 5 can be alleviated with a solid and well defined validation mechanism.

Classic ASP

Stinger 1.0 was migrated to pure classic ASP VBScript code, See OWASP_Stinger_Version_1 for more information on this version. Notice that ASP version loads only one rules file per page for easy of use for developers. If you need diferent rulesets for a sigle page use programatic rules. You can download this project here.

RegEx Repository

The OWASP RegEx Repository contains a multitude of regular expressions for common data types. Developers implementing input validation engines should review these regular expressions. Save the time of developing a complicated regular expression that currently exists!

The OWASP Validation project is sponsored by Aspect_logo.gif

Project Details

PROJECT INFO
What does this OWASP project offer you?
what is this project?
OWASP Validation Project

Purpose: N/A

License: N/A

who is working on this project?
Project Leader: N/A

Project Maintainer:

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: N/A

Project Roadmap: N/A

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact the GPC to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.

Subcategories

This category has the following 2 subcategories, out of 2 total.

O

Media in category "OWASP Validation Project"

This category contains only the following file.