250 likes | 368 Views
Input Validation For Free Text Fields ADD. Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias. System Requirements. Validate Text From Free Text Fields. Prevent XSS attacks through free text fields.
E N D
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias
Validate Text From Free Text Fields Prevent XSS attacks through free text fields. Companies in the market uses web applications to serve their clients. Many of these applications accept free-text fields. Our project goal is to stop such an application from accepting malicious script in this type of field. The Ability To Manage Data In The System • Add types of fields • Change type of fields and their corresponding regular expressions • Edit regular expressions • Delete fields/regular expressions
State Machine Functionalities • Create new field using state machine – the user draws state machine and then regular expression created from the machine. • Create new field using regular expression & state machine – the userenters regular expression – then the system generates the corresponding state machine and the user can change the machineuntil he get the desired results. • Edit field using state machine.
Testing • Special site will be developed for testing purposes. Each filed will have representation. • Special software for attacks (Upscan) will be used. • Testing in iterations – revision regular expression every iteration. Learning Engine Engine that will go over a variety of inputs for a specific field, learn all the data, bad and/or good inputs and infer the regular expression representing this type of field according to the Information. ** this feature was not part of the original project and will be developed within the time limitations and deadlines.
Database GUI JAR Library Web Site
Database • The database is based on XML, and the system using Java parsing XML classes to write/read from the XML files. • Contains all the types of fields, and for each filed a regular expression . Jar Library • will be added to an existing code and prevent massive changes in it. • The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.
GUI • connects the user to the database. • Display all the types of fields currently stored in the database. • Add new types of fields to the database using regular expressions,state machines etc. Web Site • For testing purposes. • contain free text field for each predefined type of field. • Using “UpScan” – attack software.
GUI classes Jflap package System (façade) Admin Regex package Field Pattern Matcher Database Jar
Field Class • represents field in the system. • has two main internal fields : • name: the name of the field • regex- a regular expression that represents all the language of all the valid inputs for this type of field. Database Class • writes and reads data from the XML files. • All the functions that concern retrieving and storing data are implemented in this class: store user, store field, retrieve user, retrieve field, etc.
System Class • functions as a façade class. • provides a unified interface to a set of interfaces in a subsystem. • connects the GUI (upper layer) with all the logic classes (bottom layers) such as the database, JFlap and REGEX classes. • All the functions from this class delegates the actions to the foundation classes that responsible of handling the actions. Jar Class • this class and its methods will be used by external users to validate the free text fields. • has one main function called "validate“. • will be imported to projects and will be used as an external package.
GUI Classes • handling all the GUI elements in the system. • uses small classes, that each one of them is part of the whole GUI. • uses some of the GUI components of the JFlap package (in the state machine functionalities). Admin Class • represents administrator user in the system. • It has two fields: unique ID number and password. Regex package Classes • deals with regular expressions . • already implemented in java and we will use it to manage and perform operations on regular expressions in the system.
Jflap package Classes • represents big package of classes that deals with state machine. • has vast functionalities. • We will use mainly the tools to draw state machines and extract regular expressions from state machines.
So Far… • Code: • System, regex, admin, field, GUI: 90% of the code implemented. • database: code implemented, there’s conceptual problem – how the JAR and GUI system should interact with the same XML file. • Jflap package: interaction with the package exists. Changes in the package itself need to be done to best answer the system requirements. • Testing site: site code is completed. Written in XHTML,CSS,PHP. Not yet been tested with the attacking program. (Upscan). • Learning engine: exploring the best algorithms to use particular to the project’s problem. With the assistance of DrGera Weiss and DrNirEitan From Weizmann Institute of Science.
Main Screen The user has three options to create new field.
Main Screen • “New field using Regular-Expression” – • the user inserts new field name and matching regular expression. • “New field using State-Machine” – • the user inserts field name and draw the matching state- machine in a new screen (the Jflap screen). • “New field using Regular-Expression and State-Machine” – • the user inserts field name and regular expression. Then the matching state-machine will appear, and the user will have the option to change it.
Administrator Screen The administrator has three options.
Administrator Screen • “Delete field” – • the administrator chooses field name from list of fields, and the system deletes the field from the DB. • “Edit field” – • the administrator chooses field name from list of fields and inserts a new regular expression. • “Edit field using state-machine” – • the administrator chooses field name from list of fields, the matching state-machine will appear in the Jflap screen, and there he can change it.
The Jflap Screen In the Jflap screen the user will have the tools to draw state- machines
Open Questions • Database- use XML database(Amdocs requirement) or SQL server as database. • Learning Engine – what algorithm to use, the type of the “learning” database (good inputs or bad inputs).
Tasks List The detailed tasks list is published in the full ADD document on the project website. In general: GUI + DB: February 2011 XSS prevention research: March 2011 Integration with the Jflap package: March 2011 Main functionalities: March-April 2011 Testing: April 2011 Attacks of our website: May 2011