Preventing cross-site scripting in web-based e-mail
First Claim
1. A method of preventing an e-mail from infecting a computing device, the method comprising:
- viewing the e-mail in a browser on the computing device;
creating a document object model (DOM) tree from the e-mail, wherein the DOM tree contains known and unknown elements and wherein known elements are known to be safe and wherein unknown elements potentially include malicious Javascripts and HTML elements wherein the DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only known elements;
applying a first filter to the DOM tree, the first filter excluding the at least one branch in the DOM tree having only known elements, thereby creating a modified DOM tree wherein the excluding of the at least one branch from the DOM tree is performed such that remaining branches of the DOM tree are still connected with one another;
filtering the modified DOM tree using a script analyzer filter wherein the script analyzer filter intercepts unknown elements in the modified DOM tree; and
emulating execution of the unknown elements in the modified DOM tree to determine which unknown elements are malicious.
1 Assignment
0 Petitions
Accused Products
Abstract
Cross-site scripting vulnerabilities in a Web browser that may lead to malware execution on a computing device are reduced. The specific vulnerabilities arise from HTML-based e-mails using e-mail service providers (e.g., Hotmail, Gmail, Yahoo) that have unknown or malformed HTML elements and Javascripts. These unknown elements may execute in a browser and cause harm to the computing device. To prevent this, the e-mail is parsed to create a DOM tree. The DOM tree is filtered using a normal element filter. The modified DOM tree is filtered a second time using a script analyzer filter to isolate potentially harmful HTML and Javascript elements. These elements are then emulated to determine which of them are in fact malicious. These malicious elements are then prevented from executing, for example, by preventing the e-mail recipient from opening the e-mail in the browser.
37 Citations
27 Claims
-
1. A method of preventing an e-mail from infecting a computing device, the method comprising:
-
viewing the e-mail in a browser on the computing device; creating a document object model (DOM) tree from the e-mail, wherein the DOM tree contains known and unknown elements and wherein known elements are known to be safe and wherein unknown elements potentially include malicious Javascripts and HTML elements wherein the DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only known elements; applying a first filter to the DOM tree, the first filter excluding the at least one branch in the DOM tree having only known elements, thereby creating a modified DOM tree wherein the excluding of the at least one branch from the DOM tree is performed such that remaining branches of the DOM tree are still connected with one another; filtering the modified DOM tree using a script analyzer filter wherein the script analyzer filter intercepts unknown elements in the modified DOM tree; and emulating execution of the unknown elements in the modified DOM tree to determine which unknown elements are malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 21, 22, 23, 26, 27)
-
-
10. A method of preventing cross-site scripting, the method comprising:
-
parsing an HTML e-mail message to create a document object model (DOM) tree wherein the DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only known elements; utilizing a model hook of an e-mail program to derive a normal element filter; applying the normal element filter to the DOM tree, the filter executing as a plug-in in a browser in a computing device; creating a modified DOM tree wherein the at least one branch having only known elements is excluded from the DOM tree and wherein the excluding of the at least one branch from the DOM tree is performed such that remaining branches of the DOM tree are still connected with one another; and applying a script analyzer filter to the modified DOM tree to create a final DOM tree having only unknown element types. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 24)
-
-
18. A method of creating a document object model (DOM) tree for use in reducing cross-site scripting vulnerabilities in a Web browser, the method comprising:
-
creating a first DOM tree from parsing an HTML-based e-mail in a Web browser wherein the first DOM tree includes a plurality of branches, the plurality of branches including at least one branch having only safe and normal elements and Javascripts; modifying the first DOM tree by excluding the at least one branch having only safe and normal HTML elements and Javascripts, thereby creating a second DOM tree wherein the excluding of the at least one branch from the first DOM tree is performed such that remaining branches of the first DOM tree are still connected with one another; modifying the second DOM tree by applying a script analyzer filter in the Web browser, wherein the second DOM tree contains only branches having potentially malicious HTML elements and Javascripts; and emulating execution of the potentially malicious HTML elements and Javascripts in a sandbox area in the script analyzer filter. - View Dependent Claims (19, 20, 25)
-
Specification