Presentation is loading. Please wait.

Presentation is loading. Please wait.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Similar presentations


Presentation on theme: "Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias."— Presentation transcript:

1 Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias

2 The main goal of our project is to prevent script injection through free text fields. It deals mainly with XSS - Cross-site scripting which is a type of computer security vulnerability typically found in web applications that enables malicious attackers to injectclient-side script into web pages viewed by other users.computer securityvulnerabilityweb applicationsinjectclient-side script web pages

3 Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink or from a text field which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.

4 Malicious script that has not been blocked can lead to several major problems: Usually it will be stored in the database of the company. Then probably it will be pulled out and an application will run this script. It can either harm other systems inside the company or a browser of a client will run this script and harm the client's computer/systems. An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser.

5 There is another solution called Escaping (aka Output Encoding). Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.Escaping The Problem: companies do not want to have malicious scripts in their database, as not all web applications using this database are controlled by the company and therefore they cannot be assured that the client browser supports this feature.

6 JAR Library GUI Web Site Database

7 The database contains all the types of fields, and for each filed a regular expression is stored. This regular expression represents the valid inputs for this specific type of field. In addition, for each field a predefined error message is stored. The error message indicates the cause of the rejection of the input. In order to reduce changes in existing applications, a JAR library will be added to an existing code and prevent massive changes in it. The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.

8 This feature of the system connects the user to the database, it has two main functionalities: Display all the types of fields currently stored in the database. This enables the user to see the types of fields that already in the system and that can be used in the JAR library. Add new types of fields to the database. This can be done in two ways: Insert new regular expression that represents all the valid expressions to this specific type of field. Draw a state machine that the language it represents is all the valid expressions to the new type of field.** Fix/edit an existing or a new regular expression using state-machine. In order to test the system. Mainly, the site will contain free text field for each predefined type of field. Special software will be used in order to "attack" the site. Then the results will be analyzed and according to the conclusions the system will be changed to supply better security.

9 Amdocs tried to use predefined Microsoft Library called Anti-XSS This solution didn’t work: Applications weren’t able to work. The library blocked almost every input. Amdocs stuff don’t have the opportunity to add new definitions to the system. In order to make it work – massive change needs to be done in ALL Amdocs web applications – to much time and money. Today Amdocs uses ISAPI in order to deal with the problem. In reality : level of security is very low!

10 Our project goal is to create new XSS prevention Library that will focus on web applications. Deep research will be hold in order to provide specific and accurate safety for each type of free text field that Amdocs applications uses. In addition, the system will have the ability to add and improve the level of security in the future.

11 The software will be divided to three major layers: Persistence layer – database (library) that will hold all the information about the types of fields, and for every field the type of characters that valid to this specific field (regular expression). Logic layer–this layer will control the algorithms: receiving inputs, processing them, and generate the outputs. Part of the software is to receive new information about new/old fields, through automat or regular expression, and these algorithms will also be part of this layer. This layer will be implemented in the JAR library. Presentation layer–GUI that enables the user to view/edit/add/delete the types of fields stored in the system. The GUI will receive inputs from the user and pass them to the logic layer that uses the persistence layer to make the required changes and/or display the user the results (in future).

12 Regular Expressions The system will use java regular expressions package called regex. XML Database The system will use Java parsing XML classes. (Amdocs demand) Upscan Software: Upsacn is software that attacks web applications in many known attacks. We will use Upscan to attack our web site in order to see our system's efficiency. State Machine interaction (in future versions) The system will use two extensions: Java SwingStateslibrary. GraphVizVisualation Software.

13 Determine if text is safe or not. Insert regular expression that defines the language of all the expressions that are valid to the type of the new defined field. Draw Deterministic finite-state machine that defines the language of all the expressions that are valid to the type of thenew defined field. Insert regular expression and then change it by editing a state machine that the system created. (Also uses to define new type of field). Note: "safe" text or "determine if text is safe or not" means that the input text does not contain any malicious code such as script injection code.

14 Delete existing fields from the database – can be done only by administrator. Edit existing fields from the database – can be done only by administrator.

15 A website will be developed. In this site there will be all fields that in the database. Special Amdocs software – named UpScan, will be used. This software attacks the fields that the website contains. The testing will be in iterations. Each iteration we will "attack" our website and analyze the results. Then the results will be examined and from the conclusions we will improve the data of the fields that did not pass the level of security we determine. The level of security will measured as the number of blocked attacks from the total number of attacks on a specific field. Testing the system

16 Predetermined types of fields the system will supply with built in database that will include the following types of fields: First name Last name Address Owner Title ID Object type Login name Parent object ID Customer status Product name Behavior Sub-type Description Password

17

18 Predetermined type field functionality Primary Actors: User, Admin Description: The user wants to enter text in a certain field, and the system checks if the text is valid in that field. Pre-Conditions: The field exists in the DB. Post-Conditions: A Boolean function return true if the text is valid in this field, and false (with addition of error message) otherwise. Main (Success) Scenario: 1) The user calls a function from the new JAR library, with the text and field as inputs. 2) The system pulls out the matching regular expression from the DB. 3) The system checks whether the text is valid according to the regular expression, and returns Boolean answer.

19 Predetermined type field functionality

20 Regular expression functionality Primary Actors: user, admin Description: The user wants to generate a new regular expression to a new field. Pre-Conditions: None. Post-Conditions: A new field and a new regular expression are generated and inserted into the DB. Main (Success) Scenario: 1) the user selects the option "new regular expression". 2) The user enters a new field's name. 3) The user inserts a regular expression. 4) The software inserts the new field with its new regular expression into the DB. 5) The software displays a confirmation message.

21 Regular expression functionality

22 Risks As the project based mainly on research about XSS prevention, the major point of failure will be not succeeding in the task of preventing attacks efficiently. Hence, most of the efforts will be focused on deep research

23


Download ppt "Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias."

Similar presentations


Ads by Google