Input Validation ForFree Text Fields

Project Members: Hagar Offer &Ran MorAcademic Advisor: Dr Gera WeissTechnical Advisors: Raffi Lipkin & Nadav Attias

Background

The main goal of our project is to prevent script injection through free text fields.It deals mainly with XSS - Cross-site

scripting which is a type of computer security vulnerability typically found in web applications that enables

malicious attackers to injectclient-side script into web pages viewed by

other users.

Little More On XSS

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user .

The data is usually gathered in the form of a hyperlink or from a text field which contains malicious content

within it .The user will most likely click on this link from

another website ,instant message, or simply just reading a web board or

email message .

Malicious script that has not been blocked can lead to several major problems:

•Usually it will be stored in the database of the company. Then probably it will be pulled out and an application will run this script. It can either harm other systems inside the company or a browser of a client will run this script and harm the client's computer/systems.

•An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser.

EscapingThere is another solution called Escaping (aka Output Encoding). Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser.

The Problem:companies do not want to have malicious scripts in their database, as not all web applications using this database are controlled by the company and therefore they cannot be assured that the client browser supports this feature.

The Problem Domain

JAR LibraryJAR LibraryGUIGUI

Web SiteWeb Site

Database

DatabaseThe database contains all the types of fields, and for each filed a regular expression is stored. This regular expression represents the valid inputs for this specific type of field. In addition, for each field a predefined error message is stored. The error message indicates the cause of the rejection of the input.

Jar LibraryIn order to reduce changes in existing applications, a JAR library will be added to an existing code and prevent massive changes in it. The main functionality of the library is to receive a text, check its validation using the regular expression that stored in the DB, and return whether the input text is valid or not.

The GUIThis feature of the system connects the user to the database, it has two main functionalities:• Display all the types of fields currently stored in the database. This

enables the user to see the types of fields that already in the system and that can be used in the JAR library.

• Add new types of fields to the database. This can be done in two ways:• Insert new regular expression that represents all the valid

expressions to this specific type of field.• Draw a state machine that the language it represents is all the

valid expressions to the new type of field.**• Fix/edit an existing or a new regular expression using state-

machine.

The Web SiteIn order to test the system. Mainly, the site will contain free text field for each predefined type of field. Special software will be used in order to "attack" the site. Then the results will be analyzed and according to the conclusions the system will be changed to supply better security.

Current Situation•Amdocs tried to use predefined Microsoft Library called Anti-XSS

•This solution didn’t work:• Applications weren’t able to work.• The library blocked almost every input.• Amdocs stuff don’t have the opportunity to add new

definitions to the system.• In order to make it work – massive change needs to be

done in ALL Amdocs web applications – to much time and money.

•Today Amdocs uses ISAPI in order to deal with the problem.

• In reality : level of security is very low!

Proposed SolutionOur project goal is to create new XSS

prevention Library that will focus on web applications.

Deep research will be hold in order to provide specific and accurate safety for each

type of free text field that Amdocs applications uses.

In addition, the system will have the ability to add and improve the level of security in the

future.

System architecture & TechnologiesThe software will be divided to three major layers:

•Persistence layer – database (library) that will hold all the information about the types of fields, and for every field the type of characters that valid to this specific field (regular expression).

•Logic layer–this layer will control the algorithms: receiving inputs, processing them, and generate the outputs. Part of the software is to receive new information about new/old fields, through automat or regular expression, and these algorithms will also be part of this layer. This layer will be implemented in the JAR library.

•Presentation layer–GUI that enables the user to view/edit/add/delete the types of fields stored in the system. The GUI will receive inputs from the user and pass them to the logic layer that uses the persistence layer to make the required changes and/or display the user the results (in future).

•Regular ExpressionsThe system will use java regular expressions package called regex.

•XML DatabaseThe system will use Java parsing XML classes. (Amdocs demand)

•Upscan Software:Upsacn is software that attacks web applications in many known attacks. We will use Upscan to attack our web site in order to see our system's efficiency.

•State Machine interaction (in future versions)The system will use two extensions:• Java SwingStateslibrary .• GraphVizVisualation Software.

Main Technologies

Main Functional Requirements•Determine if text is safe or not.

•Insert regular expression that defines the language of all the expressions that are valid to the type of the new defined field.

•Draw Deterministic finite-state machine that defines the language of all the expressions that are valid to the type of thenew defined field.

•Insert regular expression and then change it by editing a state machine that the system created. (Also uses to define new type of field).

Note: "safe" text or "determine if text is safe or not" means that the input text does not contain any malicious code such as script injection code.

•Delete existing fields from the database – can be done only by administrator.

•Edit existing fields from the database – can be done only by administrator.

Main Functional Requirements

Main Non-Functional Requirements

• A website will be developed. In this site there will be all fields that in the database.

• Special Amdocs software – named UpScan, will be used. This software attacks the fields that the website contains.

• The testing will be in iterations.

• Each iteration we will "attack" our website and analyze the results.Then the results will be examined and from the conclusions we will improve the data of the fields that did not pass the level of security we determine.

• The level of security will measured as the number of blocked attacks from the total number of attacks on a specific field.

Testing the system

Main Non-Functional RequirementsPredetermined types of fieldsthe system will supply with built in database that will include the following types of fields:

First name Last name Address Owner Title ID Object type Login name

Parent object ID Customer status Product name Behavior Sub-type Description Password

Use-Cases

Use-CasesPredetermined type field functionality

Primary Actors: User, AdminDescription: The user wants to enter text in a certain field, and the system checks if the text is valid in that field. Pre-Conditions: The field exists in the DB. Post-Conditions: A Boolean function return true if the text is valid in this field, and false (with addition of error message) otherwise.Main (Success) Scenario: 1) The user calls a function from the new JAR library, with the text and field as inputs. 2) The system pulls out the matching regular expression from the DB. 3) The system checks whether the text is valid according to the regular expression, and returns Boolean answer.

Use-CasesPredetermined type field functionality

Use-CasesRegular expression functionality

Primary Actors: user, admin Description: The user wants to generate a new regular expression to a new field. Pre-Conditions: None. Post-Conditions: A new field and a new regular expression are generated and inserted into the DB. Main (Success) Scenario: 1) the user selects the option "new regular expression". 2) The user enters a new field's name. 3) The user inserts a regular expression. 4) The software inserts the new field with its new regular expression into the DB. 5) The software displays a confirmation message.

Use-CasesRegular expression functionality

Risks

As the project based mainly on research about XSS prevention, the major point of failure will be not succeeding in the task of preventing attacks efficiently. Hence, most of the efforts will be focused on deep research