#8 reference struts-validator and stinger in Guide

open
nobody
None
5
2004-03-12
2004-03-12
Ralf Hauser
No

Hi, the OWASP Guide is an excellent starter for Web
Security. Congrats!
In chapter 10 on "Data Validation" (or the upcoming
Java chapter), I suggest to add pointers to validation
frameworks such as http://aspectsecurity.com/stinger/
and
http://jakarta.apache.org/struts/userGuide/dev_validator.html

P.S.: Especially since DoS has become a member of OWASP
top ten, do not forget to mention their limitations -
i.e. that they get often get called "late" (only after
finishing uploading e.g. illegitimate 2MB for a form
field specified to only hold 200 characters; for
example tomcat hands off to such "application level"
validation after finishing "http" processing - see
also:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27062
and related out-of-memory conceptual open ends of
tomcat
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27143\)

Discussion