Preventing cross-site scripting in web-based e-mail

US 9,049,222 B1
Filed: 02/02/2012
Issued: 06/02/2015
Est. Priority Date: 02/02/2012
Status: Active Grant

First Claim

Patent Images

1. A method of preventing an e-mail from infecting a computing device, the method comprising:

viewing the e-mail in a browser on the computing device;

creating a document object model (DOM) tree from the e-mail, wherein the DOM tree contains known and unknown elements and wherein known elements are known to be safe and wherein unknown elements potentially include malicious Javascripts and HTML elements wherein the DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only known elements;

applying a first filter to the DOM tree, the first filter excluding the at least one branch in the DOM tree having only known elements, thereby creating a modified DOM tree wherein the excluding of the at least one branch from the DOM tree is performed such that remaining branches of the DOM tree are still connected with one another;

filtering the modified DOM tree using a script analyzer filter wherein the script analyzer filter intercepts unknown elements in the modified DOM tree; and

emulating execution of the unknown elements in the modified DOM tree to determine which unknown elements are malicious.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Cross-site scripting vulnerabilities in a Web browser that may lead to malware execution on a computing device are reduced. The specific vulnerabilities arise from HTML-based e-mails using e-mail service providers (e.g., Hotmail, Gmail, Yahoo) that have unknown or malformed HTML elements and Javascripts. These unknown elements may execute in a browser and cause harm to the computing device. To prevent this, the e-mail is parsed to create a DOM tree. The DOM tree is filtered using a normal element filter. The modified DOM tree is filtered a second time using a script analyzer filter to isolate potentially harmful HTML and Javascript elements. These elements are then emulated to determine which of them are in fact malicious. These malicious elements are then prevented from executing, for example, by preventing the e-mail recipient from opening the e-mail in the browser.

37 Citations

View as Search Results

27 Claims

1. A method of preventing an e-mail from infecting a computing device, the method comprising:
- viewing the e-mail in a browser on the computing device;
  
  creating a document object model (DOM) tree from the e-mail, wherein the DOM tree contains known and unknown elements and wherein known elements are known to be safe and wherein unknown elements potentially include malicious Javascripts and HTML elements wherein the DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only known elements;
  
  applying a first filter to the DOM tree, the first filter excluding the at least one branch in the DOM tree having only known elements, thereby creating a modified DOM tree wherein the excluding of the at least one branch from the DOM tree is performed such that remaining branches of the DOM tree are still connected with one another;
  
  filtering the modified DOM tree using a script analyzer filter wherein the script analyzer filter intercepts unknown elements in the modified DOM tree; and
  
  emulating execution of the unknown elements in the modified DOM tree to determine which unknown elements are malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21, 22, 23, 26, 27)
- - 2. A method as recited in claim 1 wherein creating a DOM tree from the e-mail further comprises:
    - parsing the e-mail to create the DOM tree having external Javascripts and HTML elements.
  - 3. A method as recited in claim 1 further comprising:
    - determining whether the e-mail is an HTML e-mail or a text-based e-mail.
  - 4. A method as recited in claim 3 wherein said determining is done upon a user previewing the e-mail in a browser.
  - 5. A method as recited in claim 1 further comprising:
    - emulating execution of a Javascript in a script analyzer wherein only execution of Javascripts remaining in the final DOM tree are emulated.
  - 6. A method as recited in claim 1 wherein said DOM tree contains malformed HTML and unknown JavaScript.
  - 7. A method as recited in claim 1 wherein branches having abnormal or unknown elements and scripts remain in the DOM tree.
  - 8. A method as recited in claim 1 further comprising:
    - creating a model hook for an e-mail program.
  - 9. A method as recited in claim 1 further comprising:
    - decrypting the Javascript before emulating the unknown elements.
  - 21. A method as recited in claim 1 wherein the DOM tree includes a root node and a plurality of other nodes that are organized into a plurality of levels to form a tree-like structure, each of the plurality of nodes being a child or a parent of another node, each node representing a corresponding element of the email that is one of the known or unknown elements, the plurality of levels including a first level, the first level including only the root node, each of the levels in the DOM tree other than the first level consisting only of children of the nodes of another level, the plurality of nodes including one or more branches, each branch including two or more nodes that are linked to form a chain that extends through two or more of the levels and terminates at a leaf node that has no children.
  - 22. A method as recited in claim 21 wherein after the first filter is applied to help create the modified DOM tree, the modified DOM tree includes only one or more branches in which each branch includes at least one node that corresponds to an unknown element and wherein the modified DOM tree does not include any branches that only have known elements.
  - 23. A method as recited in claim 21 further comprising:
    - applying the first filter to the DOM tree using a model hook from an email program, the model hook indicating expected characteristics of the DOM tree, the expected characteristics including at least one selected from the group consisting of;
      
      1) a maximum number of levels in the DOM tree; and
      
      2) a maximum number of Javascripts the email can have; and
      
      excluding one or more selected elements from the DOM tree based on whether the selected elements are in accordance with the expected characteristics of the DOM tree.
  - 26. A method as recited in claim 1 wherein the application of the first filter to the DOM tree removes the at least one branch such that the resulting modified DOM tree includes no branches that include only known elements and at least one branch that includes at least one known element linked with a leaf node having at least one unknown element.
  - 27. A method as recited in claim 1 wherein the first filter is applied at the browser, the method further comprising:
    - applying an email model hook that helps indicate what a normal and safe email looks like, the email model hook further indicating at least one selected from the group consisting of a number of Javascripts the email should have and a maximum number of levels of the DOM tree; and
      
      identifying the at least one branch to be excluded from the DOM tree based on the email model hook.

10. A method of preventing cross-site scripting, the method comprising:
- parsing an HTML e-mail message to create a document object model (DOM) tree wherein the DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only known elements;
  
  utilizing a model hook of an e-mail program to derive a normal element filter;
  
  applying the normal element filter to the DOM tree, the filter executing as a plug-in in a browser in a computing device;
  
  creating a modified DOM tree wherein the at least one branch having only known elements is excluded from the DOM tree and wherein the excluding of the at least one branch from the DOM tree is performed such that remaining branches of the DOM tree are still connected with one another; and
  
  applying a script analyzer filter to the modified DOM tree to create a final DOM tree having only unknown element types.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 24)
- - 11. A method as recited in claim 10 further comprising:
    - emulating unknown element types in a sandbox area in a script analyzer to determine which unknown element types are malicious.
  - 12. A method as recited in claim 10 wherein HTML and XML-formatted e-mails attack vulnerabilities in a Web browser.
  - 13. A method as recited in claim 10 wherein the model hook is defined in a script analyzer.
  - 14. A method as recited in claim 10 further comprising:
    - analyzing a template to determine where hooking points can be injected into the code.
  - 15. A method as recited in claim 10 further comprising:
    - defining hook points in the model hook using Javascript elements and HTML elements.
  - 16. A method as recited in claim 10 further comprising:
    - applying the model hook which defines characteristics of safe e-mail messages.
  - 17. A method as recited in claim 10 wherein the model hook has a user-defined template and an e-mail program template.
  - 24. A method as recited in claim 10 wherein the DOM tree includes a root node and a plurality of nodes that are organized into a plurality of levels that form a tree-like structure, each of the plurality of nodes representing an element in the HTML e-mail message and being a parent or a child to another node, the plurality of levels including a first level, the first level including only the root node, each of the levels in the DOM tree other than the first level consisting only of children of the nodes of another level, the method further comprising:
    - applying the normal element filter to the DOM tree using the model hook of the e-mail program, the model hook indicating expected characteristics of the DOM tree, the expected characteristics including at least one selected from the group consisting of;
      
      1) a maximum number of levels in the DOM tree; and
      
      2) a maximum number of Javascripts the email can have; and
      
      excluding one or more selected elements from the DOM tree based on whether the selected elements are in accordance with the expected characteristics of the DOM tree.

18. A method of creating a document object model (DOM) tree for use in reducing cross-site scripting vulnerabilities in a Web browser, the method comprising:
- creating a first DOM tree from parsing an HTML-based e-mail in a Web browser wherein the first DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only safe and normal elements and Javascripts;
  
  modifying the first DOM tree by excluding the at least one branch having only safe and normal HTML elements and Javascripts, thereby creating a second DOM tree wherein the excluding of the at least one branch from the first DOM tree is performed such that remaining branches of the first DOM tree are still connected with one another;
  
  modifying the second DOM tree by applying a script analyzer filter in the Web browser, wherein the second DOM tree contains only branches having potentially malicious HTML elements and Javascripts; and
  
  emulating execution of the potentially malicious HTML elements and Javascripts in a sandbox area in the script analyzer filter.
- View Dependent Claims (19, 20, 25)
- - 19. A method as recited in claim 18 further comprising:
    - determining which of the potentially malicious HTML elements and Javascripts are malware; and
      
      preventing execution of the HTML elements and Javascripts that are malware on a computing device.
  - 20. A method as recited in claim 18 further comprising:
    - utilizing a model hook of an e-mail program to derive a normal element filter, wherein the normal element filter is used to modify the first DOM tree.
  - 25. A method as recited in claim 18 wherein:
    - the first DOM tree and the second DOM tree each include a root node linked to a plurality of other nodes that are organized into a plurality of levels to form a tree-like structure, each of the plurality of nodes having one or more links to one parent node and zero or more children nodes, each node representing a corresponding element of the email whereinthe second DOM tree, which was created using the modification of the first DOM tree includes one or more branches in which each branch includes two or more nodes that are linked to form a chain that terminates at a leaf node that is not linked to any children nodes, the leaf node including one selected from the group consisting of a potentially malicious HTML element and potentially malicious Javascript wherein other nodes in the node chain are safe and normal elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
He, Juan, Zhu, Jialai, Zhu, Xuewen, Wan, Xiaochuan
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
PLOTKIN, JASON R

Application Number

US13/365,161
Time in Patent Office

1,216 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Preventing cross-site scripting in web-based e-mail

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing cross-site scripting in web-based e-mail

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links