Category talk:OWASP Stinger Project
>> In working with Stinger over the past year I have found some issues in the way that Stinger implemented handling of the HTTP request. In short, it overlooked the fact that a parameter can have multiple values. This has been corrected and will be available for download within the next week or two.
This seems only partially correct. You are correct in stating that Stinger does not properly process a parameter with multiple values. Rather, Stinger simply keeps the first value and discards the rest (see MutableHttpRequest.java). The configuration rules for this first parameter value are still applied and enforced before it is utilized by the target application. Although this behavior may result in functional problems with regards to the protected application (ex. application expects multiple values), I do not see where the security risk is present as the one kept value is still evaluated against the declarative rules. Just a heads up.