Download presentation
Presentation is loading. Please wait.
1
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias
3
Prevent XSS attacks through free text fields. Companies in the market uses web applications to serve their clients. Many of these applications accept free-text fields. Our project goal is to stop such an application from accepting malicious script in this type of field. Add types of fields Change type of fields and their corresponding regular expressions Edit regular expressions Delete fields/regular expressions
4
Create new field using state machine – the user draws state machine and then regular expression created from the machine. Create new field using regular expression & state machine – the user enters regular expression – then the system generates the corresponding state machine and the user can change the machine until he get the desired results. Edit field using state machine.
5
Special site will be developed for testing purposes. Each filed will have representation. Special software for attacks (Upscan) will be used. Testing in iterations – revision regular expression every iteration. Engine that will go over a variety of inputs for a specific field, learn all the data, bad and/or good inputs and infer the regular expression representing this type of field according to the Information. ** this feature was not part of the original project and will be developed within the time limitations and deadlines.
7
JAR Library GUI Web Site Database
8
The database is based on XML, and the system using Java parsing XML classes to write/read from the XML files. Contains all the types of fields, and for each filed a regular expression. will be added to an existing code and prevent massive changes in it. The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.
9
connects the user to the database. Display all the types of fields currently stored in the database. Add new types of fields to the database using regular expressions, state machines etc. For testing purposes. contain free text field for each predefined type of field. Using “UpScan” – attack software.
11
System (façade) Jflap package GUI classes Admin Field Jar Database Regex package MatcherPattern
12
represents field in the system. has two main internal fields : name: the name of the field regex- a regular expression that represents all the language of all the valid inputs for this type of field. writes and reads data from the XML files. All the functions that concern retrieving and storing data are implemented in this class: store user, store field, retrieve user, retrieve field, etc.
13
functions as a façade class. provides a unified interface to a set of interfaces in a subsystem. connects the GUI (upper layer) with all the logic classes (bottom layers) such as the database, JFlap and REGEX classes. All the functions from this class delegates the actions to the foundation classes that responsible of handling the actions. this class and its methods will be used by external users to validate the free text fields. has one main function called "validate“. will be imported to projects and will be used as an external package.
14
handling all the GUI elements in the system. uses small classes, that each one of them is part of the whole GUI. uses some of the GUI components of the JFlap package (in the state machine functionalities). represents administrator user in the system. It has two fields: unique ID number and password. deals with regular expressions. already implemented in java and we will use it to manage and perform operations on regular expressions in the system.
15
represents big package of classes that deals with state machine. has vast functionalities. We will use mainly the tools to draw state machines and extract regular expressions from state machines.
16
Code: System, regex, admin, field, GUI: 90% of the code implemented. database: code implemented, there’s conceptual problem – how the JAR and GUI system should interact with the same XML file. Jflap package: interaction with the package exists. Changes in the package itself need to be done to best answer the system requirements. Testing site: site code is completed. Written in XHTML,CSS,PHP. Not yet been tested with the attacking program. (Upscan). Learning engine: exploring the best algorithms to use particular to the project’s problem. With the assistance of Dr Gera Weiss and Dr Nir Eitan From Weizmann Institute of Science.
18
The user has three options to create new field.
19
“New field using Regular-Expression” – the user inserts new field name and matching regular expression. “New field using State-Machine” – the user inserts field name and draw the matching state- machine in a new screen (the Jflap screen). “New field using Regular-Expression and State-Machine” – the user inserts field name and regular expression. Then the matching state-machine will appear, and the user will have the option to change it.
20
The administrator has three options.
21
“Delete field” – the administrator chooses field name from list of fields, and the system deletes the field from the DB. “Edit field” – the administrator chooses field name from list of fields and inserts a new regular expression. “Edit field using state-machine” – the administrator chooses field name from list of fields, the matching state-machine will appear in the Jflap screen, and there he can change it.
22
In the Jflap screen the user will have the tools to draw state- machines
23
Database- use XML database(Amdocs requirement) or SQL server as database. Learning Engine – what algorithm to use, the type of the “learning” database (good inputs or bad inputs).
24
The detailed tasks list is published in the full ADD document on the project website. In general: GUI + DB: February 2011 XSS prevention research: March 2011 Integration with the Jflap package: March 2011 Main functionalities: March-April 2011 Testing: April 2011 Attacks of our website: May 2011
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.