[ OWASP - Montreal ] Validation Testing Framework

Philippe Gamache philippe at gamache.com
Thu Apr 16 12:23:51 EDT 2009


Hi everyone,

On my preceding message about CodeFest 3.0, there was a project call 
OWASP Validation Testing Framework.

This framework doesn't exist for the moment, but I want to use the 
codefest to begin working on the project.

The project is an addition to ESAPI, in a way.

So lets me explain it.

WHAT?

It's a framework that will help generate unit testing files, usually for 
Validator/Filter fonction.

Some config files will have differents tests, for differents datatype, 
and using a generator, it will produce testing using differents 
templates for differents unit testing framework.

So by exemple, we will produce date test for email, phone numbers, URL,  
ect.

Generator could do files for differents framework like jUnits, phpUnits, 
SimpleTest, phpt, lime...

So if a project, use phpUnits, and have a validator for email, it could 
generate test for it.

WHY?

So many validators or filters, have flaws, because programmers don't 
understand all concepts of a format, or concept of security, so many 
accept (ie for email) thing like :
*** The next to line are one attack line, with a return (or line jump) 
into it ***
myemail at site.com
to: spam at site.com

So now we have a header injection in a email.

or do you know that this address is valid?

me\@mysite.com at site.com

But who many validators will reject it? 80%? More?

WHO can help?

Anyone that is at least one of those :

 * You did a validator in any languages
 * You understand some formats that need validation
 * You're using a unit testing framework
 * You're a programmer
 * You're a Pen Tester
 * You would like to help on :
  * Making the testing configuration (YAML)
  * Making the unit testing template
  * Making the generator (in PHP, but others languages implementations 
could be done after)
  * Documentation

WHEN :

During CodeFest 3.0




A working prototype should be finish during this weekend.  The framework 
will be offer to OWASP.  I really want it to be a official project, but 
having prototype, and betters documentations will help.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: philippe.vcf
Type: text/x-vcard
Size: 131 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-montreal/attachments/20090416/5cc38c95/attachment.vcf 


More information about the Owasp-montreal mailing list