Input Validation For Free Text Fields

Similar documents
CSCE 813 Internet Security Case Study II: XSS

10.) Click on the Security tab in Internet Options. 11.) Then click on Trusted Sites. 12.) Click on the Custom level button.

The security of Mozilla Firefox s Extensions. Kristjan Krips

Web Application Security


CIS 4360 Secure Computer Systems XSS

Application vulnerabilities and defences

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Sherlock Tutorial Getting Started

C1: Define Security Requirements

Index. How to look for images... 3 How to add the images to your cart... 4 How to download and edit your images Amadeus Image Bank.

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Georgia Department of Education

Applying AI in Application Security

Anaglym: A Graphics Engine Providing Secure Execution of Applications

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

WebSTAR Cache Information

WHITE PAPER WEB CACHE DECEPTION ATTACK. Omer Gil. July

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

ValuePRO Tutorial Internet Explorer 8 Configuration

Aguascalientes Local Chapter. Kickoff

Application Design and Development: October 30

CSCE 548 Building Secure Software SQL Injection Attack

Uploading a File in the Desire2Learn Content Area

Guide to KI-ELN, downloaded/remote desktop client

Web basics: HTTP cookies

Auto Start Analyzer after AppPool Recycle by IIS

XMLInput Application Guide

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Adobe Reader (AR) and Internet Explorer (IE) Browser Settings. Adobe Reader and Internet Explorer Browser settings

This program assumes you have basic knowledge or htaccess redirection.

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Exercise 7a: Result Presentation and HyperView Player

Javadocing in Netbeans (rev )

Browser Set-Up Instructions

Configuration. English. Video Management System. SeMSy III Modul Map. Rev /

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Web Security II. Slides from M. Hicks, University of Maryland

To start, open or build a simple solid model. The bracket from a previous exercise will be used for demonstration purposes.

Cyclone PCB Factory Gui Tutorial. by Kobus du Toit

Lesson 3 Creating and Using Graphics

Chrome Extension Security Architecture

v GMS 10.1 Tutorial UTEXAS Embankment on Soft Clay Introduction to the UTEXAS interface in GMS for a simple embankment analysis

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Printing Specification Document for Explorer 8 browsers. Version

IMPLEMENTING SCL PROGRAMS. Using Codeblocks

Web basics: HTTP cookies

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi

501/421/361 User s Guide Advanced Function Operations (i-option)

( )

IronWASP (Iron Web application Advanced Security testing Platform)

MISIS Tutorial. I. Introduction...2 II. Tool presentation...2 III. Load files...3 a) Create a project by loading BAM files...3

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

Intermediate/Advanced. Faculty Development Workshop FSE Faculty retreat April 18, 2012

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Embedding Graphics in JavaDocs (netbeans IDE)

Configuring User Defined Patterns

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

ACADEMIC TECHNOLOGY SUPPORT

Advanced Web Technology 10) XSS, CSRF and SQL Injection

IBM iaccess (Java) Setup Guide for Foxtrot RPA

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Spread Map Tab - Soil Zones

Marketing Automation:

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

Instructions for Configuring Your Browser Settings and Online Security FAQ s

Grandstream Networks, Inc. GSurf User Manual

Exploiting and Defending: Common Web Application Vulnerabilities

Common Websites Security Issues. Ziv Perry

CAA Alumni Chapters Websites - Admin Instructions

SARS ANYWHERE ADMINISTRATION MANUAL APPENDICES

Creating and Viewing My Favorites

Detecting XSS Based Web Application Vulnerabilities

QuestionPoint chat The Guide to IE browser setup Last updated: 2009 June 23

dotdefender v5.18 User Guide

( )

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

DEVELOPING OOSIML SIMULATION MODELS. Using Codeblocks

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

HP Records Manager. Kofax Capture Template. Software Version: 8.1. Document Release Date: August 2014

User Manual Portable Laptop Console Crash Cart Adapter

CS 161 Computer Security

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

CS 161 Computer Security

Create Geomark in Google Earth Tutorial

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Interactive Maps Purpose: Login to the System: Interactive Maps ONTINUE AGREE

CSE 127 Computer Security

Trustee Attributes. White Paper. February 2012

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Client Website Overview Guide

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

Finding Vulnerabilities in Web Applications

GEL Scripts Advanced. Your Guides: Ben Rimmasch, Yogesh Renapure

Transcription:

Input Validation For Free Text Fields User Manual Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias 1

Table of Contents 1 Introduction... 3 2 Main Window Overview... 5 3 Main Functionalities... 6 3.1 New Field Using Regular Expression... 6 3.2 New Field Using State - Machine... 7 3.2.1 The upper menu... 8 3.3 Learning Using Positive/ Non Positive Engine... 9 3.4 Learning Using Positive Engine... 11 3.5 Validate Categories Functionality... 13 3.6 Export Database To Other Project Functionality... 14 4 Import The Validation System To External Project... 15 5 Additional General Functionalities... 16 5.1 Deleting Category From The System... 16 5.2 Edit Regular Expression Category... 16 5.3 Upper Menu... 18 2

1 Introduction The main goal of our project is to prevent script injection through free text fields. It deals mainly with XSS - Cross-site scripting which is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. Companies in the market uses web applications to serve their clients. Many of these applications accept free-text fields. Our project goal is to stop such an application from accepting malicious script in this type of field. Malicious script that has not been blocked can lead to several major problems: Usually it will be stored in the database of the company. Then probably it will be pulled out and an application will run this script. It can either harm other systems inside the company or a browser of a client will run this script and harm the client's computer/systems. An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser. There is another solution called Escaping (aka Output Encoding). Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. In this way the browser will know not to run the malicious code. However, companies do not want to have malicious scripts in their database, as not all web applications using this database are controlled by the company and therefore they cannot be assured that the client browser supports this feature. For big companies that serve clients it is very important to block malicious scripts from getting inside the system since once the client got hurt, he does not care what the reason is. From the client's point of view, the full responsibility imposed upon the company. The system has two main aspects: 1. Managing the system: through the GUI window. Allowing the user to manage the database, adding new regular expressions, using the state machine functionalities and learning engines. 2. Using the database in external systems to protect web applications. Through built-in functions inside our systems. 3

The verification process can be done in three different ways: 1. Verification using regular expressions. 2. Verification using state machine functionalities. 3. Verification using learning engines. (Positive and negative inputs engine as well as just positive inputs engine). 4

2 Main Window Overview Zone 1 Zone 2 Zone 3 The main window provides easy and fast way to manage the system. Including, database operations, training operations (regular expression, state machines, learning engines etc.), export function and quick overview of the current database. Zone 1: this area contains all the main functionalities of the system. It has a button for every functionality. When a user clicks on one of the buttons, the functionality process and windows will open in zone 3 which is the main panel. Zone 2: this area contains all the categories that currently in the system's database. It is divided into three main top categories, each describes the verification tool that has been used for this category. Zone 3: this area is the main panel of the system. 5

3 Main Functionalities 3.1 New Field Using Regular Expression The functionality enables the user to insert new categories into the database, along with the matching regular expressions. First, the user has to type the name of the new category he wants to create. Second, he has to type the corresponding regular expression. Then, the user has to decide if the regular expression that was typed is an accepted language, meaning - the system will accept text that matches the regular expression, or a denied language, meaning - the system will deny text that doesn t match the regular expression. In order to finish this operation the user chooses the OK button. If the process completed successfully, the new category will be added to the database, and an additional message will be displayed. 6

3.2 New Field Using State - Machine This functionality also enables the user to insert new categories into the database, along with the matching regular expressions. However, this way provides a more intuitive and convenient way to create the regular expression, by drafting of an automaton, and then inverting it into a regular expression. First, the user has to draw an automaton, using the toolbar in the top-left side of the screen. Attribute Editor State Creator Trasition Creator Deleter Undoer After the user finished drawing the automaton, he has to choose in the top toolbar the option of Convert -> Convert FA to RE. Now, the system will offer repairs to the automaton. In order to perform them automatically the user has to choose the Do It button. Then the automaton s matching regular expression will appear. 7

In this point, in order to add this regular expression into the system s database, the user has to choose the New Field button. The screen of adding new regular expression will appear, along with the regular expression in the corresponding field. The user now has to follow the previous section steps in order to finish the operation. 3.2.1 The upper menu File ->Save / Save as: If the user doesn t want to add the regular expression into the system s database, but he wants to save his automaton, he can do it with these buttons. File -> Open: By choosing this option, the user will be able to re-open his saved automaton. File -> Save Image As: Choosing this option will save the automaton as image (JPG, PNG, GIF, BMP). File -> Print: Choosing this option will print the automaton. 8

3.3 Learning Using Positive/ Non Positive Engine This functionality trains the learning engine which uses positive and non-positive inputs in order to perform the learning process. In step 1, the user needs to choose whether he wants to add new category to the system, or training existing category. If the user enters string to the "Add New Category" text field, then new category will be created in the system and the learning database and operations will be associated to this specific category. If the user selects existing category from the "Select Existing Category" scroll menu, then the learning database and operations will be associated to existing category in the system. Important note: in this functionality, if the user decides to train category that already exists in the system, the new learning database will be added to the existing learning database of the category. 9

In step 2, the user needs to choose using the file browser text file with the positive words database. The words within the text file should be separated with spaces. In step 3, similar to step 2, the user needs to choose using the file browser text file with the non positive words database. The words within the text file should be separated with spaces. After step 3 finished, the engine learned the positive and non-positive databases from the text files and all the data and the associated training files is now stored in the database. 10

If the training process completed successfully, additional message will be displayed. Otherwise, an error message indicating the problem will be displayed. 3.4 Learning Using Positive Engine This functionality trains the learning engine which uses positive inputs only in order to perform the learning process. In step 1, the user needs to choose whether he wants to add new category to the system, or training existing category. 11

If the user enters string to the "Add New Category" text field, then new category will be created in the system and the learning database and operations will be associated to this specific category. If the user selects existing category from the "Select Existing Category" scroll menu, then the learning database and operations will be associated to existing category in the system. Important note: in this functionality, if the user decides to train category that already exists in the system, the new learning database will delete the existing learning database and create new learning database for the category. In step 2, the user needs to choose using the file browser text file with the positive words database. The words within the text file should be separated with spaces. After step 2 finished, the engine learned the positive database from the text file and all the data and the associated training files is now stored in the database. If the training process completed successfully, additional message will be displayed. Otherwise, an error message indicating the problem will be displayed. 12

3.5 Validate Categories Functionality The functionality enables the user to check the efficiency of one or more categories that already exists in the system. First, the user has to choose the desired category to be checked. Second, the user typing or pasting text to the text area. This text will be verified according to the method that had been used to train the specific category (regular expression, state machine, learning engines). After the users choose category and typed in text to validate, the "Validate" button will trigger the process of verification. The system will automatically recognize the right verification method for the category and validate the typed in text. An answer is displayed indicating whether the text is safe or not safe for use. 13

3.6 Export Database To Other Project Functionality The functionality enables the user to export the current database to a selected path in the hard drive. This action performed in order to update an external program that uses the validating system with up to date database. This is part of using the validating system in an external system. (For more details see section 4). The user needs to choose destination directory for the export. After the process finished. The database (XML files) created in the destination folder of the external system. Now the external system using the validation tools are up to date with the latest categories that were added to the system. 14

4 Import The Validation System To External Project The main goal of the system is to validate free text fields in already existing (or external) projects. In order to perform these tasks, three main operations need to be performed: 1. The system must contain categories that have been added to the system using the main GUI window. Each category uses different method for the validation process according to its type (regular expression, state machine, learning using positive nonpositive inputs and learning using positive inputs). 2. The validation system is a JAR file. The JAR file must be included in the destination project as an external JAR in the project build path. (Then all the public functions from the validating system can be used). 3. The database of the validating system must be exported into the library of the external project. (as explained in section 3.6) After the aforementioned steps have been made, the public functions of the validating system can be used. The validating system contains class named "Protect". Using the function validate from this class the validation can be performed in any external project. In details, in order to use the "Protect" class in an external project, the following steps must be taken: 1. In the destination class (that within it the validate function will be used), the package "protection" needs to be included using the command "import protection;" 2. New object of type "Protect" needs to be initialized using the command "Protect nameofobject = new Protect();" 3. Using the validate function with the command nameofobject.validate(categoryname, texttovalidate); where categoryname is the name of the desired category (the text will be verified according to the category training method). texttovalidate is the free text that was typed in to the free text filed and needs to be validated. The validate function returns Boolean (true, false) answer indicating whether the text is safe or not. Note: the aforementioned commands refer to Java program language. The above steps allowing the user to use the validation database in any other project that free text filed validation is required. 15

5 Additional General Functionalities 5.1 Deleting Category From The System In Zone 2 the user can view all the categories in the system. (See section 2 for details) By right click on one of the categories, new menu opens. The user can select the "delete" button and the selected category will be deleted from the system. 5.2 Edit Regular Expression Category In Zone 2 the user can view all the categories in the system. (See section 2 for details) By right click on one of the categories, new menu opens. The user can select the "edit" button and then edit the regular expression associated with the selected category. 16

In the following window, the user inserts new regular expression describing the category and the system update the database. 17

5.3 Upper Menu *The upper menu contains the "File" and "Help" sub menus. The File Menu: using this menu the user can close the system (by clicking the "Exit" button) and the system will save all the data and then close. The Help Button: the help button contains two links: o The first link is for the user manual document. o The second link is for the video tutorial. *The Save Work Button: this button allows the user to save and update the database without closing the entire system. 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback