Input Validation For Free Text Fields ADD

Input Validation ForFree Text Fields

ADD

Project Members: Hagar Offer & Ran Mor

Academic Advisor: Dr Gera Weiss

Technical Advisors: Raffi Lipkin & Nadav Attias

System Requirements

Validate Text From Free Text Fields

Prevent XSS attacks through free text fields.Companies in the market uses web applications to serve their clients. Many of these applications accept free-text fields. Our project goal is to stop such an application from accepting malicious script in this type of field.

The Ability To Manage Data In The System Add types of fieldsChange type of fields and their corresponding regular expressionsEdit regular expressionsDelete fields/regular expressions

State Machine Functionalities

Create new field using state machine – the user draws state machine and then regular expression created from the machine.Create new field using regular expression & state machine – the userenters regular expression – then the system generates the corresponding state machine and the user can change the machineuntil he get the desired results.Edit field using state machine.

Testing

Special site will be developed for testing purposes. Each filed will have representation.Special software for attacks (Upscan) will be used.Testing in iterations – revision regular expression every iteration.

Learning Engine

Engine that will go over a variety of inputs for a specific field, learnall the data, bad and/or good inputs and infer the regularexpression representing this type of field according to theInformation.

** this feature was not part of the original project and will be developed within the time limitations and deadlines.

System Architecture

JAR LibraryJAR LibraryGUIGUI

Web SiteWeb Site

Database

Database The database is based on XML, and the system using Java parsing XML classes to write/read from the XML files.Contains all the types of fields, and for each filed a regular expression .

Jar Library will be added to an existing code and prevent massive changes in it.The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.

GUI connects the user to the database.Display all the types of fields currently stored in the database.Add new types of fields to the database using regular expressions,state machines etc.Web Site For testing purposes.contain free text field for each predefined type of field.Using “UpScan” – attack software.

Main Classes

System(façade)

Jflappackage

GUIclasses

Admin

Field

Jar

Database

Regexpackage

MatcherPattern

Field Classrepresents field in the system.has two main internal fields :

name: the name of the fieldregex- a regular expression that represents all the language of all

the valid inputs for this type of field.

Database Classwrites and reads data from the XML files.All the functions that concern retrieving and storing data are implemented in this class: store user, store field, retrieve user, retrieve field, etc.

System Classfunctions as a façade class.provides a unified interface to a set of interfaces in a subsystem.connects the GUI (upper layer) with all the logic classes (bottom layers) such as the database, JFlap and REGEX classes.All the functions from this class delegates the actions to the foundation classes that responsible of handling the actions.

Jar Classthis class and its methods will be used by external users to validate the free text fields.has one main function called "validate“.will be imported to projects and will be used as an external package.

GUI Classeshandling all the GUI elements in the system.uses small classes, that each one of them is part of the whole GUI.uses some of the GUI components of the JFlap package (in the state machine functionalities).

Admin Classrepresents administrator user in the system.It has two fields: unique ID number and password.

Regex package Classesdeals with regular expressions .already implemented in java and we will use it to manage and perform operations on regular expressions in the system.

Jflap package Classes

represents big package of classes that deals with state machine. has vast functionalities.We will use mainly the tools to draw state machines and extract regular expressions from state machines.

So Far…Code:

System, regex, admin, field, GUI: 90% of the code implemented.

database: code implemented, there’s conceptual problem – how the JAR and GUI system should interact with the same XML file.

Jflap package: interaction with the package exists. Changes in the package itself need to be done to best answer the system requirements.

Testing site: site code is completed. Written in XHTML,CSS,PHP. Not yet been tested with the attacking program. (Upscan).

Learning engine: exploring the best algorithms to use particular to the project’s problem. With the assistance of Dr Gera Weiss and Dr Nir Eitan From Weizmann Institute of Science.

User Interface

Main Screen

The user has three options to create new field.

Main Screen

“New field using Regular-Expression” – the user inserts new field name and matching regular expression.

“New field using State-Machine” – the user inserts field name and draw the matching state- machine in a new screen (the Jflap screen).

“New field using Regular-Expression and State-Machine” – the user inserts field name and regular expression. Then the matching state-machine will appear, and the user will have the option to change it.

The administrator has three options.

Administrator Screen

Administrator Screen

“Delete field” – the administrator chooses field name from list of fields, and the system deletes the field from the DB.

“Edit field” – the administrator chooses field name from list of fields and inserts a new regular expression.

“Edit field using state-machine” – the administrator chooses field name from list of fields, the matching state-machine will appear in the Jflap screen, and there he can change it.

The Jflap Screen

In the Jflap screen the user will have the tools to draw state- machines

Database- use XML database(Amdocs requirement) or SQL server as database. Learning Engine – what algorithm to use, the type of the “learning” database (good inputs or bad inputs).

Open Questions

The detailed tasks list is published in the full ADD document on the project website.

In general:

GUI + DB: February 2011XSS prevention research: March 2011Integration with the Jflap package: March 2011Main functionalities: March-April 2011Testing: April 2011Attacks of our website: May 2011

Tasks List

Thank You!