Input Validation For Free Text Fields User Manual Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias 1
Table of Contents 1 Introduction... 3 2 Main Window Overview... 5 3 Main Functionalities... 6 3.1 New Field Using Regular Expression... 6 3.2 New Field Using State - Machine... 7 3.2.1 The upper menu... 8 3.3 Learning Using Positive/ Non Positive Engine... 9 3.4 Learning Using Positive Engine... 11 3.5 Validate Categories Functionality... 13 3.6 Export Database To Other Project Functionality... 14 4 Import The Validation System To External Project... 15 5 Additional General Functionalities... 16 5.1 Deleting Category From The System... 16 5.2 Edit Regular Expression Category... 16 5.3 Upper Menu... 18 2
1 Introduction The main goal of our project is to prevent script injection through free text fields. It deals mainly with XSS - Cross-site scripting which is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. Companies in the market uses web applications to serve their clients. Many of these applications accept free-text fields. Our project goal is to stop such an application from accepting malicious script in this type of field. Malicious script that has not been blocked can lead to several major problems: Usually it will be stored in the database of the company. Then probably it will be pulled out and an application will run this script. It can either harm other systems inside the company or a browser of a client will run this script and harm the client's computer/systems. An attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser. There is another solution called Escaping (aka Output Encoding). Escaping is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. In this way the browser will know not to run the malicious code. However, companies do not want to have malicious scripts in their database, as not all web applications using this database are controlled by the company and therefore they cannot be assured that the client browser supports this feature. For big companies that serve clients it is very important to block malicious scripts from getting inside the system since once the client got hurt, he does not care what the reason is. From the client's point of view, the full responsibility imposed upon the company. The system has two main aspects: 1. Managing the system: through the GUI window. Allowing the user to manage the database, adding new regular expressions, using the state machine functionalities and learning engines. 2. Using the database in external systems to protect web applications. Through built-in functions inside our systems. 3
The verification process can be done in three different ways: 1. Verification using regular expressions. 2. Verification using state machine functionalities. 3. Verification using learning engines. (Positive and negative inputs engine as well as just positive inputs engine). 4
2 Main Window Overview Zone 1 Zone 2 Zone 3 The main window provides easy and fast way to manage the system. Including, database operations, training operations (regular expression, state machines, learning engines etc.), export function and quick overview of the current database. Zone 1: this area contains all the main functionalities of the system. It has a button for every functionality. When a user clicks on one of the buttons, the functionality process and windows will open in zone 3 which is the main panel. Zone 2: this area contains all the categories that currently in the system's database. It is divided into three main top categories, each describes the verification tool that has been used for this category. Zone 3: this area is the main panel of the system. 5
3 Main Functionalities 3.1 New Field Using Regular Expression The functionality enables the user to insert new categories into the database, along with the matching regular expressions. First, the user has to type the name of the new category he wants to create. Second, he has to type the corresponding regular expression. Then, the user has to decide if the regular expression that was typed is an accepted language, meaning - the system will accept text that matches the regular expression, or a denied language, meaning - the system will deny text that doesn t match the regular expression. In order to finish this operation the user chooses the OK button. If the process completed successfully, the new category will be added to the database, and an additional message will be displayed. 6
3.2 New Field Using State - Machine This functionality also enables the user to insert new categories into the database, along with the matching regular expressions. However, this way provides a more intuitive and convenient way to create the regular expression, by drafting of an automaton, and then inverting it into a regular expression. First, the user has to draw an automaton, using the toolbar in the top-left side of the screen. Attribute Editor State Creator Trasition Creator Deleter Undoer After the user finished drawing the automaton, he has to choose in the top toolbar the option of Convert -> Convert FA to RE. Now, the system will offer repairs to the automaton. In order to perform them automatically the user has to choose the Do It button. Then the automaton s matching regular expression will appear. 7
In this point, in order to add this regular expression into the system s database, the user has to choose the New Field button. The screen of adding new regular expression will appear, along with the regular expression in the corresponding field. The user now has to follow the previous section steps in order to finish the operation. 3.2.1 The upper menu File ->Save / Save as: If the user doesn t want to add the regular expression into the system s database, but he wants to save his automaton, he can do it with these buttons. File -> Open: By choosing this option, the user will be able to re-open his saved automaton. File -> Save Image As: Choosing this option will save the automaton as image (JPG, PNG, GIF, BMP). File -> Print: Choosing this option will print the automaton. 8
3.3 Learning Using Positive/ Non Positive Engine This functionality trains the learning engine which uses positive and non-positive inputs in order to perform the learning process. In step 1, the user needs to choose whether he wants to add new category to the system, or training existing category. If the user enters string to the "Add New Category" text field, then new category will be created in the system and the learning database and operations will be associated to this specific category. If the user selects existing category from the "Select Existing Category" scroll menu, then the learning database and operations will be associated to existing category in the system. Important note: in this functionality, if the user decides to train category that already exists in the system, the new learning database will be added to the existing learning database of the category. 9
In step 2, the user needs to choose using the file browser text file with the positive words database. The words within the text file should be separated with spaces. In step 3, similar to step 2, the user needs to choose using the file browser text file with the non positive words database. The words within the text file should be separated with spaces. After step 3 finished, the engine learned the positive and non-positive databases from the text files and all the data and the associated training files is now stored in the database. 10
If the training process completed successfully, additional message will be displayed. Otherwise, an error message indicating the problem will be displayed. 3.4 Learning Using Positive Engine This functionality trains the learning engine which uses positive inputs only in order to perform the learning process. In step 1, the user needs to choose whether he wants to add new category to the system, or training existing category. 11
If the user enters string to the "Add New Category" text field, then new category will be created in the system and the learning database and operations will be associated to this specific category. If the user selects existing category from the "Select Existing Category" scroll menu, then the learning database and operations will be associated to existing category in the system. Important note: in this functionality, if the user decides to train category that already exists in the system, the new learning database will delete the existing learning database and create new learning database for the category. In step 2, the user needs to choose using the file browser text file with the positive words database. The words within the text file should be separated with spaces. After step 2 finished, the engine learned the positive database from the text file and all the data and the associated training files is now stored in the database. If the training process completed successfully, additional message will be displayed. Otherwise, an error message indicating the problem will be displayed. 12
3.5 Validate Categories Functionality The functionality enables the user to check the efficiency of one or more categories that already exists in the system. First, the user has to choose the desired category to be checked. Second, the user typing or pasting text to the text area. This text will be verified according to the method that had been used to train the specific category (regular expression, state machine, learning engines). After the users choose category and typed in text to validate, the "Validate" button will trigger the process of verification. The system will automatically recognize the right verification method for the category and validate the typed in text. An answer is displayed indicating whether the text is safe or not safe for use. 13
3.6 Export Database To Other Project Functionality The functionality enables the user to export the current database to a selected path in the hard drive. This action performed in order to update an external program that uses the validating system with up to date database. This is part of using the validating system in an external system. (For more details see section 4). The user needs to choose destination directory for the export. After the process finished. The database (XML files) created in the destination folder of the external system. Now the external system using the validation tools are up to date with the latest categories that were added to the system. 14
4 Import The Validation System To External Project The main goal of the system is to validate free text fields in already existing (or external) projects. In order to perform these tasks, three main operations need to be performed: 1. The system must contain categories that have been added to the system using the main GUI window. Each category uses different method for the validation process according to its type (regular expression, state machine, learning using positive nonpositive inputs and learning using positive inputs). 2. The validation system is a JAR file. The JAR file must be included in the destination project as an external JAR in the project build path. (Then all the public functions from the validating system can be used). 3. The database of the validating system must be exported into the library of the external project. (as explained in section 3.6) After the aforementioned steps have been made, the public functions of the validating system can be used. The validating system contains class named "Protect". Using the function validate from this class the validation can be performed in any external project. In details, in order to use the "Protect" class in an external project, the following steps must be taken: 1. In the destination class (that within it the validate function will be used), the package "protection" needs to be included using the command "import protection;" 2. New object of type "Protect" needs to be initialized using the command "Protect nameofobject = new Protect();" 3. Using the validate function with the command nameofobject.validate(categoryname, texttovalidate); where categoryname is the name of the desired category (the text will be verified according to the category training method). texttovalidate is the free text that was typed in to the free text filed and needs to be validated. The validate function returns Boolean (true, false) answer indicating whether the text is safe or not. Note: the aforementioned commands refer to Java program language. The above steps allowing the user to use the validation database in any other project that free text filed validation is required. 15
5 Additional General Functionalities 5.1 Deleting Category From The System In Zone 2 the user can view all the categories in the system. (See section 2 for details) By right click on one of the categories, new menu opens. The user can select the "delete" button and the selected category will be deleted from the system. 5.2 Edit Regular Expression Category In Zone 2 the user can view all the categories in the system. (See section 2 for details) By right click on one of the categories, new menu opens. The user can select the "edit" button and then edit the regular expression associated with the selected category. 16
In the following window, the user inserts new regular expression describing the category and the system update the database. 17
5.3 Upper Menu *The upper menu contains the "File" and "Help" sub menus. The File Menu: using this menu the user can close the system (by clicking the "Exit" button) and the system will save all the data and then close. The Help Button: the help button contains two links: o The first link is for the user manual document. o The second link is for the video tutorial. *The Save Work Button: this button allows the user to save and update the database without closing the entire system. 18