230 likes | 391 Views
Input Validation For Free Text Fields. Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias. Background. The main goal of our project is to prevent script injection through free text fields.
E N D
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: RaffiLipkin & NadavAttias
Background The main goal of our project is to prevent script injection through free text fields. It deals mainly with XSS - Cross-site scripting which is a type of computer securityvulnerability typically found in web applications that enables malicious attackers to injectclient-side script into web pages viewed by other users.
Little More On XSS Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink or from a text field which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.
Malicious script that has not been blocked can lead to several major problems: • Usually it will be stored in the database of the company. Then probably it will be pulled out and an application will run this script. It can either harm other systems inside the company or a browser of a client will run this script and harm the client's computer/systems. • An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser.
Escaping There is another solution called Escaping (aka Output Encoding). Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. The Problem: companies do not want to have malicious scripts in their database, as not all web applications using this database are controlled by the company and therefore they cannot be assured that the client browser supports this feature.
The Problem Domain Database GUI JAR Library Web Site
Database • The database contains all the types of fields, and for each filed a regular expression is stored. This regular expression represents the valid inputs for this specific type of field. In addition, for each field a predefined error message is stored. The error message indicates the cause of the rejection of the input. Jar Library • In order to reduce changes in existing applications, a JAR library will be added to an existing code and prevent massive changes in it. The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.
The GUI • This feature of the system connects the user to the database, it has two main functionalities: • Display all the types of fields currently stored in the database. This enables the user to see the types of fields that already in the system and that can be used in the JAR library. • Add new types of fields to the database. This can be done in two ways: • Insert new regular expression that represents all the valid expressions to this specific type of field. • Draw a state machine that the language it represents is all the valid expressions to the new type of field.** • Fix/edit an existing or a new regular expression using state-machine. The Web Site • In order to test the system. Mainly, the site will contain free text field for each predefined type of field. Special software will be used in order to "attack" the site. Then the results will be analyzed and according to the conclusions the system will be changed to supply better security.
Current Situation • Amdocs tried to use predefined Microsoft Library called Anti-XSS • This solution didn’t work: • Applications weren’t able to work. • The library blocked almost every input. • Amdocs stuff don’t have the opportunity to add new definitions to the system. • In order to make it work – massive change needs to be done in ALL Amdocs web applications – to much time and money. • Today Amdocs uses ISAPI in order to deal with the problem. • In reality : level of security is very low!
Proposed Solution • Our project goal is to create new XSS prevention Library that will focus on web applications. • Deep research will be hold in order to provide specific and accurate safety for each type of free text field that Amdocs applications uses. • In addition, the system will have the ability to add and improve the level of security in the future.
System architecture & Technologies • The software will be divided to three major layers: • Persistence layer – database (library) that will hold all the information about the types of fields, and for every field the type of characters that valid to this specific field (regular expression). • Logic layer–this layer will control the algorithms: receiving inputs, processing them, and generate the outputs. Part of the software is to receive new information about new/old fields, through automat or regular expression, and these algorithms will also be part of this layer. This layer will be implemented in the JAR library. • Presentation layer–GUI that enables the user to view/edit/add/delete the types of fields stored in the system. The GUI will receive inputs from the user and pass them to the logic layer that uses the persistence layer to make the required changes and/or display the user the results (in future).
Main Technologies • Regular Expressions • The system will use java regular expressions package called regex. • XML Database • The system will use Java parsing XML classes. (Amdocs demand) • UpscanSoftware: • Upsacn is software that attacks web applications in many known attacks. We will use Upscan to attack our web site in order to see our system's efficiency. • State Machine interaction (in future versions) • The system will use two extensions: • Java SwingStateslibrary . • GraphVizVisualation Software.
Main Functional Requirements • Determine if text is safe or not. • Insert regular expression that defines the language of all the expressions that are valid to the type of the new defined field. • Draw Deterministic finite-state machine that defines the language of all the expressions that are valid to the type of thenew defined field. • Insert regular expression and then change it by editing a state machine that the system created. (Also uses to define new type of field). • Note: "safe" text or "determine if text is safe or not" means that the input text does not contain any malicious code such as script injection code.
Main Functional Requirements • Delete existing fields from the database – can be done only by administrator. • Edit existing fields from the database – can be done only by administrator.
Main Non-Functional Requirements • A website will be developed. In this site there will be all fields that in the database. • Special Amdocs software – named UpScan, will be used. This software attacks the fields that the website contains. • The testing will be in iterations. • Each iteration we will "attack" our website and analyze the results.Then the results will be examined and from the conclusions we will improve the data of the fields that did not pass the level of security we determine. • The level of security will measured as the number of blocked attacks from the total number of attacks on a specific field. Testing the system
Main Non-Functional Requirements the system will supply with built in database that will include the following types of fields: First name Last name Address Owner Title ID Object type Login name Parent object ID Customer status Product name Behavior Sub-type Description Password Predetermined types of fields
Use-Cases Primary Actors: User, AdminDescription: The user wants to enter text in a certain field, and the system checks if the text is valid in that field. Pre-Conditions: The field exists in the DB. Post-Conditions: A Boolean function return true if the text is valid in this field, and false (with addition of error message) otherwise.Main (Success) Scenario: 1) The user calls a function from the new JAR library, with the text and field as inputs. 2) The system pulls out the matching regular expression from the DB. 3) The system checks whether the text is valid according to the regular expression, and returns Boolean answer. Predetermined type field functionality
Use-Cases Predetermined type field functionality
Use-Cases Primary Actors: user, admin Description: The user wants to generate a new regular expression to a new field. Pre-Conditions: None. Post-Conditions: A new field and a new regular expression are generated and inserted into the DB. Main (Success) Scenario: 1) the user selects the option "new regular expression". 2) The user enters a new field's name.3) The user inserts a regular expression.4) The software inserts the new field with its new regular expression into the DB. 5) The software displays a confirmation message. Regular expression functionality
Use-Cases Regular expression functionality
Risks As the project based mainly on research about XSS prevention, the major point of failure will be not succeeding in the task of preventing attacks efficiently. Hence, most of the efforts will be focused on deep research