Input Validation For
Free Text Fields
ADD
Project Members: Hagar Offer & Ran Mor
Academic Advisor: Dr Gera Weiss
Technical Advisors: Raffi Lipkin & Nadav Attias
Prevent XSS attacks through free text fields.
Companies in the market uses web applications to serve their clients.
Many of these applications accept free-text fields.
Our project goal is to stop such an application from accepting
malicious script in this type of field.
Add types of fields
Change type of fields and their corresponding regular expressions
Edit regular expressions
Delete fields/regular expressions
Create new field using state machine – the user draws state machine
and then regular expression created from the machine.
Create new field using regular expression & state machine – the user
enters regular expression – then the system generates the
corresponding state machine and the user can change the machine
until he get the desired results.
Edit field using state machine.
Special site will be developed for testing purposes. Each filed will
have representation.
Special software for attacks (Upscan) will be used.
Testing in iterations – revision regular expression every iteration.
Engine that will go over a variety of inputs for a specific field, learn
all the data, bad and/or good inputs and infer the regular
expression representing this type of field according to the
Information.
** this feature was not part of the original project and will be
developed within the time limitations and deadlines.
Database
GUI
JAR Library
Web Site
The database is based on XML, and the system using Java parsing
XML classes to write/read from the XML files.
Contains all the types of fields, and for each filed a regular
expression .
will be added to an existing code and prevent massive changes in
it.
The main functionality of the library is to receive a text, check its
validation using the regular expression that stored in the DB, and
return whether the input text is valid or not.
connects the user to the database.
Display all the types of fields currently stored in the database.
Add new types of fields to the database using regular expressions,
state machines etc.
For testing purposes.
contain free text field for each predefined type of field.
Using “UpScan” – attack software.
GUI
classes
Jflap
package
System
(façade)
Regex
package
Pattern
Field
Matcher
Database
Jar
Admin
represents field in the system.
has two main internal fields :
name: the name of the field
regex- a regular expression that represents all the language of all
the valid inputs for this type of field.
writes and reads data from the XML files.
All the functions that concern retrieving and storing data are
implemented in this class: store user, store field, retrieve user, retrieve
field, etc.
functions as a façade class.
provides a unified interface to a set of interfaces in a subsystem.
connects the GUI (upper layer) with all the logic classes (bottom
layers) such as the database, JFlap and REGEX classes.
All the functions from this class delegates the actions to the
foundation classes that responsible of handling the actions.
this class and its methods will be used by external users to validate
the free text fields.
has one main function called "validate“.
will be imported to projects and will be used as an external package.
handling all the GUI elements in the system.
uses small classes, that each one of them is part of the whole GUI.
uses some of the GUI components of the JFlap package (in the state
machine functionalities).
represents administrator user in the system.
It has two fields: unique ID number and password.
deals with regular expressions .
already implemented in java and we will use it to manage and
perform operations on regular expressions in the system.
represents big package of classes that deals with state machine.
 has vast functionalities.
We will use mainly the tools to draw state machines and extract
regular expressions from state machines.
Code:
System, regex, admin, field, GUI: 90% of the code implemented.
database: code implemented, there’s conceptual problem – how
the JAR and GUI system should interact with the same XML file.
Jflap package: interaction with the package exists. Changes in the
package itself need to be done to best answer the system
requirements.
Testing site: site code is completed. Written in XHTML,CSS,PHP.
Not yet been tested with the attacking program. (Upscan).
Learning engine: exploring the best algorithms to use particular to
the project’s problem. With the assistance of Dr Gera Weiss and Dr Nir
Eitan From Weizmann Institute of Science.
The user has three options to create new field.
 “New field using Regular-Expression” –
the user inserts new field name and matching regular
expression.
 “New field using State-Machine” –
the user inserts field name and draw the matching statemachine in a new screen (the Jflap screen).
 “New field using Regular-Expression and State-Machine” –
the user inserts field name and regular expression. Then the
matching state-machine will appear, and the user will have the
option to change it.
The administrator has three options.
“Delete field” –
the administrator chooses field name from list of fields, and
the system deletes the field from the DB.
 “Edit field” –
the administrator chooses field name from list of fields and
inserts a new regular expression.
 “Edit field using state-machine” –
the administrator chooses field name from list of fields, the
matching state-machine will appear in the Jflap screen, and
there he can change it.
In the Jflap
screen the
user will have
the tools to
draw statemachines
Database- use XML database(Amdocs requirement)
or SQL server as database.
Learning Engine – what algorithm to use, the type of
the “learning” database (good inputs or bad inputs).
The detailed tasks list is published in the full ADD
document on the project website.
In general:
GUI + DB:
XSS prevention research:
Integration with the Jflap package:
Main functionalities:
Testing:
Attacks of our website:
February 2011
March 2011
March 2011
March-April 2011
April 2011
May 2011