[Owasp-stinger] URL validation | Stringer filter

Siva R Reddy siva.r.reddy at gmail.com
Tue Sep 1 05:46:33 EDT 2009 

Team,

I have integrated the stinger to my project. I just want to validate the
URL. if URL contains any other regex characters then need to throw an error
as soon as the URL hits.

I did following configs as per the manual provided on the net.

*Web.xml*
   <filter>
        <filter-name>StingerFilter</filter-name>
        <filter-class>org.owasp.stinger.StingerFilter</filter-class>
        <init-param>
            <param-name>config</param-name>

<param-value>/opt/bea/weblogic920/user_projects/domains/Webchk/servers/B6-Webchk/data/Stinger.xml</param-value>
        </init-param>
        <init-param>
            <param-name>error-page</param-name>
            <param-value>WebErrorPage.html</param-value>
        </init-param>
        <init-param>
            <param-name>reload</param-name>
            <param-value>false</param-value>
        </init-param>
    </filter>
    <filter-mapping>
      <filter-name>StingerFilter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

*Stinger.xml*
  <regexset>
    <regex>
      <name>safetext</name>
      <pattern>^[^\&lt;\&gt;\&amp;\{\}\[\]\;]{0,100}$</pattern>
      <description>
        0 to 100 valid characters, where a valid character is anything
that's NOT considered a potentially malicious character
        (i.e. less than, greater than, ampersand, left or right curly brace,
left or right square bracket, or a semicolon.
      </description>
    </regex>
    <regex>
        <name>url</name>
        <pattern>
            ^((((https?|ftps?|http?|amf?|gopher|telnet|nntp)://)|(mailto:
|news:))(%[0-9A-Fa-f]{2}|[-()_.!~*';/?:@&amp;=+$,A-Za-z0-9])+)([).!';/?:,][[:blank:]])?$
        </pattern>
        <description/>
    </regex>
  </regexset>


  <!-- The default parameter rule set must exist -->
  <ruleset>
    <name>STINGER_DEFAULT</name>
    <path>STINGER_DEFAULT</path>
    <extraHeaderAction>ignore</extraHeaderAction>

    <rule>
      <name>STINGER_ALL</name>
      <regex>url</regex>

      <missing>
        <severity>IGNORE</severity>
      </missing>
      <malformed>
        <severity>FATAL</severity>
        <action class="org.owasp.stinger.actions.Log">
          <parameter>
            <name>log</name>
            <value>servers/B6-Webchk/logs/stinger.log</value>
          </parameter>
          <parameter>
            <name>level</name>
            <value>SEVERE</value>
          </parameter>
          <parameter>
            <name>message</name>
            <value>parameter %name with value %value from %ip is
malformed</value>
          </parameter>
        </action>
        <action class="org.owasp.stinger.actions.Drop"/>
        <action class="org.owasp.stinger.actions.Redirect">
          <parameter>
            <name>page</name>
            <value>WebErrorPage.html</value>
          </parameter>
        </action>
      </malformed>
    </rule>

If I enter any values in the special chars in the URL could not see it
redirected to the error page. Could you please give me a clue for not
working this? I'm very new to implement it.

I appreciate your help and thanks in advance.

Regards
Siva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-stinger/attachments/20090901/51500a7a/attachment.html

More information about the Owasp-stinger mailing list