[Owasp-stinger] Stinger implementation related Query

Gaurav-A.Tyagi at ubs.com Gaurav-A.Tyagi at ubs.com
Thu Feb 26 22:10:27 EST 2009 

Hi
 
I am using Stinger filter implementation for input parameter validation
in a project I'm working on. I have basically followed the procedure
given at http://www.owasp.org/index.php/OWASP_Stinger_Manual for the
implementation. I am using stinger ver. 2.5. To give you a background of
the problem:
 
I have a JSP (ABC.jsp) and the stinger filter is setup for this jsp. I
have another jsp that is included in ABC.jsp (XYZ.jsp) as: 

<jsp:include page="XYZ.jsp"> 
<jsp:param name="tNumber" value="1" /> 
</jsp:include> 

But in XYZ.jsp the value  (obtained using request.getparam("tNumber"))
of the param(tNumber) is coming as NULL. If I remove the filter on
ABC.jsp then everything works fine. My understanding is, correct me if I
am wrong, that the filters do not apply to the included pages anyways. 
 
Giving sample excerpts of my web.xml and stinger.xml I have used for the
configuration:
 
web.xml: 
<filter> 
    <filter-name>StingerFilter</filter-name> 
    <filter-class>org.owasp.stinger.StingerFilter</filter-class> 
    <init-param>    
        <param-name>config</param-name> 
        <param-value>stinger.xml</param-value> 
    </init-param> 
    <init-param> 
        <param-name>error-page</param-name> 
        <param-value>/Error.html</param-value> 
    </init-param> 
    <init-param> 
        <param-name>reload</param-name> 
        <param-value>true</param-value> 
    </init-param> 
</filter> 

and 

<filter-mapping> 
    <filter-name>StingerFilter</filter-name> 
        <url-pattern>/ABC.jsp</url-pattern> 
</filter-mapping> 

Ruleset from stinger.xml: 

<ruleset> 
    <name>ABC</name> 
    <path>/ABC.jsp</path> 

    <rule> 
        <name>load</name> 
        <regex>safetext</regex> 

        <missing> 
        <severity>continue</severity> 
        </missing> 
        <malformed> 
        <severity>continue</severity> 
            <action class="org.owasp.stinger.actions.Encode" /> 
        </malformed> 
    </rule> 
</ruleset> 

I could not find any information regarding the soln. neither on the
OWASP website nor on the web. Request you to please let me know if this
type of operation is supported by stinger or not. If yes, then how can I
go about implementing the solution.
I would really appreciate any pointer as to how can I goabout solving
the problem.
 
Thanks.
 

Regards, 
Gaurav Tyagi


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-stinger/attachments/20090226/cef02cb6/attachment.html 
-------------- next part --------------
Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.
	
E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses.  The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments.

More information about the Owasp-stinger mailing list