Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Apache Struts Technology
CS0004: Introduction to Programming Visual Studio 2010 and Controls.
Introduction The concept of “SQL Injection”
Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SOCIAL NETWORK INFORMATION CONSOLIDATION Developers:  Klasquin Tomer  Nisimov Yaron  Rabih Erez Advisors:  Academic: Prof. Elovici Yuval  Technical:
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Creating Web Page Forms
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Software Development Unit 2 Databases What is a database? A collection of data organised in a manner that allows access, retrieval and use of that data.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
1 Introduction to Web Development. Web Basics The Web consists of computers on the Internet connected to each other in a specific way Used in all levels.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Lecturer: Ghadah Aldehim
Project Analysis Course ( ) Week 2 Activities.
T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.
Classroom User Training June 29, 2005 Presented by:
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
McGraw-Hill/Irwin © 2004 by The McGraw-Hill Companies, Inc. All rights reserved. Dynamic Action with Macromedia Dreamweaver MX Barry Sosinsky Valda Hilley.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
What is Sure BDCs? BDC stands for Batch Data Communication and is also known as Batch Input. It is a technique for mass input of data into SAP by simulating.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ASP.NET Web Application and Development Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours Digital.
Web Programming: Client/Server Applications Server sends the web pages to the client. –built into Visual Studio for development purposes Client displays.
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Chapter 8 Cookies And Security JavaScript, Third Edition.
In the next step you will enter some data records into the table. This can be done easily using the ‘Data Browser’. The data browser can be accessed via.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
 Whether using paper forms or forms on the web, forms are used for gathering information. User enter information into designated areas, or fields. Forms.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Building Secure Web Applications With ASP.Net MVC.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Management System For Graduate Students Projects Day Presentation – June 2011.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
8 th Semester, Batch 2009 Department Of Computer Science SSUET.
Apache Struts Technology A MVC Framework for Java Web Applications.
Joomla Awdhesh Kumar Singsys Pte Ltd. What is Joomla? Joomla is an award-winning content management system (CMS), which enables you to build Web sites.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Your Interactive Guide to the Digital World Discovering Computers 2012 Chapter 13 Computer Programs and Programming Languages.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
CSCE 548 Student Presentation Ryan Labrador
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
World Wide Web policy.
Static Detection of Cross-Site Scripting Vulnerabilities
Introduction to Programming the WWW I
Database Driven Websites
Spreadsheets, Modelling & Databases
Exploring DOM-Based Cross Site Attacks
Web Application Development Using PHP
Presentation transcript:

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias

The main goal of our project is to prevent script injection through free text fields. It deals mainly with XSS - Cross-site scripting which is a type of computer security vulnerability typically found in web applications that enables malicious attackers to injectclient-side script into web pages viewed by other users.computer securityvulnerabilityweb applicationsinjectclient-side script web pages

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink or from a text field which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or message.

Malicious script that has not been blocked can lead to several major problems: Usually it will be stored in the database of the company. Then probably it will be pulled out and an application will run this script. It can either harm other systems inside the company or a browser of a client will run this script and harm the client's computer/systems. An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser.

There is another solution called Escaping (aka Output Encoding). Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.Escaping The Problem: companies do not want to have malicious scripts in their database, as not all web applications using this database are controlled by the company and therefore they cannot be assured that the client browser supports this feature.

JAR Library GUI Web Site Database

The database contains all the types of fields, and for each filed a regular expression is stored. This regular expression represents the valid inputs for this specific type of field. In addition, for each field a predefined error message is stored. The error message indicates the cause of the rejection of the input. In order to reduce changes in existing applications, a JAR library will be added to an existing code and prevent massive changes in it. The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.

This feature of the system connects the user to the database, it has two main functionalities: Display all the types of fields currently stored in the database. This enables the user to see the types of fields that already in the system and that can be used in the JAR library. Add new types of fields to the database. This can be done in two ways: Insert new regular expression that represents all the valid expressions to this specific type of field. Draw a state machine that the language it represents is all the valid expressions to the new type of field.** Fix/edit an existing or a new regular expression using state-machine. In order to test the system. Mainly, the site will contain free text field for each predefined type of field. Special software will be used in order to "attack" the site. Then the results will be analyzed and according to the conclusions the system will be changed to supply better security.

Amdocs tried to use predefined Microsoft Library called Anti-XSS This solution didn’t work: Applications weren’t able to work. The library blocked almost every input. Amdocs stuff don’t have the opportunity to add new definitions to the system. In order to make it work – massive change needs to be done in ALL Amdocs web applications – to much time and money. Today Amdocs uses ISAPI in order to deal with the problem. In reality : level of security is very low!

Our project goal is to create new XSS prevention Library that will focus on web applications. Deep research will be hold in order to provide specific and accurate safety for each type of free text field that Amdocs applications uses. In addition, the system will have the ability to add and improve the level of security in the future.

The software will be divided to three major layers: Persistence layer – database (library) that will hold all the information about the types of fields, and for every field the type of characters that valid to this specific field (regular expression). Logic layer–this layer will control the algorithms: receiving inputs, processing them, and generate the outputs. Part of the software is to receive new information about new/old fields, through automat or regular expression, and these algorithms will also be part of this layer. This layer will be implemented in the JAR library. Presentation layer–GUI that enables the user to view/edit/add/delete the types of fields stored in the system. The GUI will receive inputs from the user and pass them to the logic layer that uses the persistence layer to make the required changes and/or display the user the results (in future).

Regular Expressions The system will use java regular expressions package called regex. XML Database The system will use Java parsing XML classes. (Amdocs demand) Upscan Software: Upsacn is software that attacks web applications in many known attacks. We will use Upscan to attack our web site in order to see our system's efficiency. State Machine interaction (in future versions) The system will use two extensions: Java SwingStateslibrary. GraphVizVisualation Software.

Determine if text is safe or not. Insert regular expression that defines the language of all the expressions that are valid to the type of the new defined field. Draw Deterministic finite-state machine that defines the language of all the expressions that are valid to the type of thenew defined field. Insert regular expression and then change it by editing a state machine that the system created. (Also uses to define new type of field). Note: "safe" text or "determine if text is safe or not" means that the input text does not contain any malicious code such as script injection code.

Delete existing fields from the database – can be done only by administrator. Edit existing fields from the database – can be done only by administrator.

A website will be developed. In this site there will be all fields that in the database. Special Amdocs software – named UpScan, will be used. This software attacks the fields that the website contains. The testing will be in iterations. Each iteration we will "attack" our website and analyze the results. Then the results will be examined and from the conclusions we will improve the data of the fields that did not pass the level of security we determine. The level of security will measured as the number of blocked attacks from the total number of attacks on a specific field. Testing the system

Predetermined types of fields the system will supply with built in database that will include the following types of fields: First name Last name Address Owner Title ID Object type Login name Parent object ID Customer status Product name Behavior Sub-type Description Password

Predetermined type field functionality Primary Actors: User, Admin Description: The user wants to enter text in a certain field, and the system checks if the text is valid in that field. Pre-Conditions: The field exists in the DB. Post-Conditions: A Boolean function return true if the text is valid in this field, and false (with addition of error message) otherwise. Main (Success) Scenario: 1) The user calls a function from the new JAR library, with the text and field as inputs. 2) The system pulls out the matching regular expression from the DB. 3) The system checks whether the text is valid according to the regular expression, and returns Boolean answer.

Predetermined type field functionality

Regular expression functionality Primary Actors: user, admin Description: The user wants to generate a new regular expression to a new field. Pre-Conditions: None. Post-Conditions: A new field and a new regular expression are generated and inserted into the DB. Main (Success) Scenario: 1) the user selects the option "new regular expression". 2) The user enters a new field's name. 3) The user inserts a regular expression. 4) The software inserts the new field with its new regular expression into the DB. 5) The software displays a confirmation message.

Regular expression functionality

Risks As the project based mainly on research about XSS prevention, the major point of failure will be not succeeding in the task of preventing attacks efficiently. Hence, most of the efforts will be focused on deep research

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.