WO2016040753A1 - A cloud suffix proxy and methods thereof - Google Patents
A cloud suffix proxy and methods thereof Download PDFInfo
- Publication number
- WO2016040753A1 WO2016040753A1 PCT/US2015/049606 US2015049606W WO2016040753A1 WO 2016040753 A1 WO2016040753 A1 WO 2016040753A1 US 2015049606 W US2015049606 W US 2015049606W WO 2016040753 A1 WO2016040753 A1 WO 2016040753A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- script
- network address
- client device
- webpage
- code
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
- H04L61/301—Name conversion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/561—Adding application-functional data or data for application control, e.g. adding metadata
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/30—Types of network names
- H04L2101/355—Types of network names containing special suffixes
Definitions
- This application relates generally to securing communications networks and systems by monitoring and securing communications, in particular by use of a suffix proxy.
- Amazon Web ServicesTM also known as AWS
- AWS Amazon Web ServicesTM
- AWS launched in 2006 a service that provides users with the ability to configure an entire environment tailored to an application executed over a cloud platform.
- such services allow for developing scalable applications in which computing resources are utilized to support efficient execution of the application.
- SaaS software-as-service
- Cloud applications are typically accessed by users using a client device via a web browser.
- Cloud applications include, among others, e-commerce applications, social media applications, enterprise applications, gaming applications, media sharing applications, storage applications, software development applications, and so on.
- Many individual users, businesses, and enterprises turn to cloud applications in lieu of "traditional" software applications that are locally installed and managed.
- an enterprise can use Office® 365 online services for email accounts, rather than having an Exchange® Server maintained by the enterprise.
- the endpoint may not be under the complete control of the enterprise, may be entirely unmanaged, or otherwise unconfigurable.
- Some embodiments of the disclosure relate to a method for modifying network addresses of at least one cloud application.
- the method comprises receiving a webpage sent to a client device from the at least one cloud application, wherein a webpage designates at least one script loaded to the client device during runtime; injecting a piece of code to the webpage; receiving, by the injected piece of code, an attempt to load each of the at least one script; modifying the at least one script by suffixing each network address designated in the at least one script with a predefined network address; and sending the modified at least one script to the client device, wherein runtime execution of the modified at least one script on the client device causes redirection of future requests from the client device to the cloud application to the suffixed network address.
- Some embodiments of the disclosure relate to a system for modifying network addresses of at least one cloud application.
- the system comprises a processor; and a memory containing instructions that, when executed by the processor, configure the system to: receive a webpage sent to a client device from the at least one cloud application, wherein a webpage designates at least one script loaded to the client device during runtime; inject a piece of code to the webpage; receive, by the injected piece of code, an attempt to load each of the at least one script; modify the at least one script by suffixing each network address designated in the at least one script with a predefined network address; and send the modified at least one script to the client device, wherein runtime execution of the modified at least one script on the client device causes redirection of future requests from the client device to the cloud application to the suffixed network address.
- Figure 1 is a diagram of a networked system utilized to describe the various disclosed embodiments.
- Figure 2 is a flowchart illustrating the operation of the security sandbox according to one embodiment.
- Figure 3 is a flowchart illustrating a method for controlling changes to the DOM according to one embodiment.
- Figure 4 is a block diagram of a suffix proxy implemented according to an embodiment.
- the various disclosed embodiments can be configured to operate on network traffic between a network-based software as a service (SaaS) provider and a client.
- SaaS software as a service
- the disclosed embodiments allow for non-intrusive suffixing and un-suffixing of network addresses directed to the SaaS provider.
- Fig. 1 is an exemplary and non-limiting diagram of a networked system 100 utilized to describe the various disclosed embodiments.
- the networked system 100 includes a cloud computing platform 1 10 which may be a private cloud, a public cloud, or a hybrid cloud providing computing resources to applications or services executed therein.
- the cloud computing platform 1 10 may be of a SaaS platform.
- Cloud applications 1 15 are typically accessed by users using a client device via a web browser.
- Cloud applications 1 15 include, among others, e-commerce applications, social media applications, enterprise applications, gaming applications, media sharing applications, storage applications, software development applications, and so on.
- Many individual users, businesses, and enterprises turn to cloud applications in lieu of "traditional" software applications that are locally installed and managed.
- an enterprise can use Office® 365 online services for email accounts, rather than having an Exchange® Server maintained by the enterprise.
- the networked system 100 further includes a managed network proxy 120, client devices 130-1 through 130-N, and a suffix proxy 140 that are communicatively connected to a network 150.
- the network 150 may be, for example, a wide area network (WAN), a local area network (LAN), the Internet, and the like.
- Each of the client devices 130 may include, for example, a personal computer, a laptop, a tablet computer, a smartphone, a wearable computing device, or any other computing device.
- the client devices 130 are configured to access the one or more cloud applications 1 15 executed in the cloud computing platform 1 10.
- a client device 130 may be a managed device or unmanaged device.
- a managed device is typically secured by an IT personnel of an organization, while an unmanaged device is not.
- the work computer is a managed device while the home computer is an unmanaged device.
- the managed network proxy 120 is configured to secure any or all traffic and activities in a cloud computing platform 1 10. Specifically, the managed network proxy 120 can be used to intercept, monitor, modify, and forward network communications traffic between client devices 130 and the cloud computing platform 1 10.
- the managed network proxy 120 can be configured to detect and mitigate network threats against the cloud applications 1 15 and/or the infrastructure of the cloud computing platform 1 10.
- the managed network proxy 120 can be configured to notify of suspicious network traffic and behavior; block threats; perform application control, URL filtering, and malware protection on the network traffic; establish visibility to application layer parameters (e.g., list of users, devices, locations, etc.); generate profiles of users using the cloud applications 1 15; provide alerts on specific or predefined events; generate audit logs; and so on.
- application layer parameters e.g., list of users, devices, locations, etc.
- the architecture and operation of the managed network proxy 120 is discussed in US Patent Application No. 14/539,980 assigned to the common assignee, and incorporated herein by reference.
- the suffix proxy 140 is configured to keep URLs and web accesses of a proxied webpage within the hold of the managed network proxy 120. That is, the modifications performed by the suffix proxy 140 for a request to access a webpage of the cloud application 1 15 allow directing subsequent traffic to the managed network proxy 120.
- the suffix proxy 140 can be configured to inspect the network traffic and detect cloud-based application's 1 15 addresses. Examples for such addresses include, for example, uniform resource locators (URLs), uniform resource identifiers (URIs), and so on. As non-limiting examples, the suffix proxy 140 can decompile, deconstruct, or disassemble network traffic for inspection.
- URLs uniform resource locators
- URIs uniform resource identifiers
- the suffix proxy 140 can decompile, deconstruct, or disassemble network traffic for inspection.
- the suffix proxy 140 can be configured to modify webpages and codes (e.g., JavaScript) executed therein and on the cloud-computing platform 1 10, so that no network addresses are provided to the client device 130 that would direct the client device 130 to access the cloud application 1 15 directly. If such a network address is detected, the suffix proxy 140 is configured to rewrite that address, for example, appending a predefined domain name to the original network address. The added domain name may refer or redirect the browser to the managed network proxy 120. For example, the URL (network address) http://www.somesite.com would be accessed through http://www.somesite.com.network-proxy-service.com. Various embodiments for rewriting network address are disclosed below.
- webpages and codes e.g., JavaScript
- the suffix proxy 140 can be configured to modify any content, including webpages, sent from the cloud application 1 15.
- the suffix proxy 140 can be configured to inspect and/or decompile any content to identify any referred pages and/or URLs present in the content and rewrite those URLs.
- file types processed can include HTML or JavaScript and responses can include zipped responses or chunked responses.
- suffix proxy 140 for static webpages, for URLs embedded in such webpages a predefined suffix domain name is added. To this end, the suffix proxy 140 is configured to parse HTML webpages and replace the URLs detected using the regular expressions.
- a static webpage is a webpage that does not contain client-executable script (e.g., JavaScript) code.
- the suffix proxy 140 in order to suffix network addresses in a dynamic webpage, the suffix proxy 140 is configured to analyze and modify code or scripts being loaded to a browser of the client device 130. For example, JavaScript can be modified by the suffix proxy 140 to wrap any potential generation of network addresses that would directly access the cloud application 1 15. If direct access addresses are identified, the script and/or content generated by the script can be modified to rewrite the address to refer to the managed network proxy 120.
- the suffix proxy 140 is configured to provide a security sandbox which is a runtime component executed over the client device 130. Certain function of the security sandbox can be performed in the suffix proxy.
- the security sandbox is labeled as a security sandbox 145.
- the security sandbox 145 is configured to prevent access to the document object model (DOM) of a webpage.
- DOM document object model
- the security sandbox 145 prevents any access and modification to the DOM during run-time of the script. It should be noted that the operation of the security sandbox 145 to prevent access to the DOM does not require any installation of any software, such as plugins, add-ons, and the like in the client device 130 and/or the browser.
- a browser on a client device 130 can execute a script (e.g., JavaScript) that would change the DOM of a webpage during run-time.
- a script e.g., JavaScript
- the security sandbox 145, and hence the suffix proxy 140 are configured to restrict the access of any embedded or loaded script code to the DOM.
- the nature of the restriction can be such that changes to URLs in the DOM, by an original script executed in the webpage, are monitored by the security sandbox 145.
- the script code monitoring by the suffix proxy 140 can be invoked for read and write accesses to DOM elements. That is, writes of a URL into the DOM are suffixed with the predefined domain name, and reads of a URL from the DOM are un-suffixed.
- "user" code e.g., the web- applications code
- the browser itself the DOM, and the JavaScript representation of it.
- the original script code can be effectively maintained and controlled by the security sandbox 145 and any communication with the original server (around the proxy) is prevented.
- an original script is any script embedded in the webpage not dynamically loaded to the webpage.
- a script can be loaded to a webpage after the webpage is rendered on the browser.
- a script is downloaded from a server (originally configured to serve the page) using any of several forms, including inline scripts inside HTML pages and any code, script, or content files. Examples for such files include, for example, JavaScript, Cascading Style Sheets (CSS), and the like.
- the browser of a client device 130 first loads the main HTML page, and then subsequently loads all referenced and inline scripts. Additional, scripts can also be loaded dynamically by the web application, using, for example, the 'eval' statement.
- the security sandbox 145 can take control of execution by modifying the static script code when the webpage is downloaded to the browser.
- the modifications to the code can be performed in such way that future dynamically loaded code will be modified during run-time and specific changes to the DOM can be intercepted in order to enforce suffixing of certain URLs. This allows the webpage to remain under the control of the suffix proxy 140.
- the suffix proxy 140 and the security sandbox 145 are configured to modify the dynamic loaded code.
- the loaded code is received at the suffix proxy 140 which is configured to analyze the code to determine all elements that potentially (explicitly or implicitly) contain, point, or otherwise refer to network addresses (URLs), and replace and/or wrap elements within code that enforces suffixing of the network addresses.
- the new script code is loaded at the client device's 130 browser. In some embodiments, caching of script codes can be employed to improve performance.
- the sandbox 145 during run-time resolves the wrappers in order to enforce suffix and un- suffix of network addresses.
- enforcing suffix or network addresses includes suffixing writes of an address (e.g., a URL) into the DOM with a predefined domain name, and un-suffixing any reads of an address from the DOM.
- DOM elements and properties can be wrapped during the creation of the new script code: Properties of HTML elements that contain URLs, such as "I FRAME”, “STYLE”, “LINK”, “IMG”, “AUDIO”, “A”, “FORM”, “BASE”and “SCRIPT', with the properties: “src”, “href” and “action”.
- the getAttribute and setAttribute methods of these elements can also be used to set the aforementioned properties.
- HTML elements that can contain a DOM sub-tree (i.e., more HTML).
- the "appendChild” method can be used to add elements (and code) dynamically and the "innerHTML” property can be used to add extra code.
- Properties of the "document” object may contain URLs or Hostnames, such as "cookie” and "domain” (both can contain the origin domain of the window).
- the "write” method can be used to add elements and code to the page.
- An "open" method of XMLHttpRequest objects contains a request URL.
- An "origin” property of " MessageEvenf objects contains the origin hostname.
- Methods and properties of the "Window” object contain "location”, " postMessage” , "evaf, and “execScripf.
- the “location” redirects the frame to another URL or determines the current location of the frame.
- the "postMessage” method has an origin argument.
- the "evaf and “execScripf properties are used to load code dynamically. Other such elements and properties exist, and any or all of them can be wrapped.
- the wrapping of a DOM element, and thus the creation of a new code is performed using static hooking of the code.
- the static hooking includes: processing and extracting inline scripts in the HTML code of a webpage. Then, any script code is converted to a syntax tree, such as an Abstract Syntax Tree (AST).
- AST can be generated using the Mozilla® parser. The syntax tree is recursively traversed and calls to wrappers are inserted in certain nodes of the tree to allow for hooking.
- the new code is created from the modified nodes (with the inserted class) and sent to the client device's 130 browser. In an embodiment, the new created code can be cached for further usage.
- the inserted wrappers can allow for DOM changes to be intercepted during run-time.
- the wrappers can be applied to cover any or all potential DOM accesses.
- the wrappers can be applied (inserted) to some or all the following syntax tree (AST) nodes: 'MemberExpression', 'Identifier', AssignmentExpression', and 'CallExpression'.
- AST syntax tree
- For MemberExpression nodes any potential accesses to object properties of DOM objects, subscription operations with non- literal keys, and access to specific properties (for example, obj.src) having a property name matches a white-list of "interesting" properties, are wrapped.
- wrappers are inserted to wrap any appropriate object. Thus, some wrappers may not be required.
- the security sandbox 145 determines if a wrapper should be handled. In most cases, for example, "false positives", the wrapper will decide to do nothing.
- Identifier nodes any potential accesses to a white-list of global Identifiers (which are properties of the window DOM object, e.g., "location") are wrapped. It should be noted that Identifier AST nodes can appear in many unrelated logical positions in the tree. Instances where the Identifier represents access to a global variable are wrapped. This is determined during the traversal step by checking the parent nodes and eliminating all other cases.
- wrapper functions can be defined according to the traversal of the syntax tree.
- the different wrapper functions behave differently during run-time.
- the wrapper functions include wrapped_get, wrapped_set, and wrapped_call which are used to wrap access to MemberExpressions.
- the functions wrapped_name_get, wrapped_name_set, and wrapped_name_call are used to access global Identifiers.
- the function wrapped_eval_param specifically handles the code passed as the parameter of an "evaf call (which can affect the local scope, and thus cannot be decorated).
- the security sandbox 145 is configured to first detect if the wrapper was invoked on relevant objects or properties. Specifically, for “MemberExpression” wrappers, the property name is checked against a white-list, as well as the subscripted object. For “Identifier” wrappers, a white-list is consulted as well. Objects are determined to be of a certain type ("Document”, “Window”, HTML elements, and so on), and are also compared to global instances when applicable. These comparisons and lookups can be performed efficiently without significant impact on performance in many cases.
- a wrapper call can be processed using any one of various procedures, including, as non-limiting examples: process dynamically loaded code, where the new code (JavaScript code) is sent to a special REST API endpoint of the proxy for translation and caching, as described below. This can occur in wrappers of "appendChHd”, “innerHTML”, “eval”, “execScript”, and “write”.
- the wrapper can be processed using suffixing or un-suffixing of a URL or hostname. Finally, a false positive wrapper invocation and resume normal execution can also be detected.
- wrapper function handlers that are responsible for handling DOM access to URL related properties or methods can be divided into logical groups. These groups include, for example, 'getters', 'setters', and 'detectors'. The 'getters' handle “get” wrappers. These will un-suffix handled URLs. If a method (JavaScript type "function") is accessed, a "decorator" is returned (see below). The 'setters' handle 'set' wrappers by suffixing assigned URLs. The 'decorators' are handle 'call wrappers that return matching decorator functions for the wrapped methods, which will suffix or un-suffix URLs according to what the decorated method is.
- This decorator can be bound to the correct object using the JavaScript "bind" method.
- the correct object is the global object (in some cases, a window).
- the object is subscripted.
- var new_src WRAPPED_name_get('location', location) + '/image';
- a caching mechanism is provided according to the disclosed embodiments.
- the caching mechanism is implemented at the suffix proxy 140 and configured to improve the overhead of the translation phase.
- all elements of translated code e.g., inline script, file, or dynamic translation request
- the entries are keyed by a cryptographic hash of the original code.
- the cache is shared across users of the proxy. This way, only the first user per-server will experience the impact of the translation phase for commonly loaded scripts.
- the dynamic script translation REST endpoint can also be configured to accept a client-side calculated hash and perform a lookup in the cache using it. This can reduce usage of upload bandwidth for the users of the proxy. In this fashion, dynamically generated scripts will almost never be actually sent to the proxy (except for the first time).
- the disclosed caching mechanism further caches responses for dynamic translation requests (per hash) returned with "Cache-Control” and "Expires" HTTP headers such that the result will be cached by the client device's 130 browser. In this manner, the same client device 130 will not frequently query the suffix proxy 140 for the same dynamically generated scripts.
- further optimization of the run-time performance is achieved by creating an optimized fast-path for irrelevant/false-positive wrapper invocations (at the code level). This is achieved by writing the basic wrapper functions with a limited subset of JavaScript to allow optimization by the client device 130 browser (e.g., using a JIT compiler of a browser).
- a manual maintenance interface that allows for profiling and detection of the code paths having the most cache hits is provided. This enables removing certain wrappers from the translated code in the suffix proxy 140 cache.
- the suffix proxy 140 using the security sandbox 145 is configured to implement additional security measures to protect the cloud application 1 15 and client devices 130.
- the security measures include configuring the security sandbox 145 to block a third-party content from being added to the DOM and thereby rendered on the client device 130.
- the third-party content may include, toolbars, advertisements, malware, and so on.
- any script code downloaded by to a client device 130 is intercepted by the sandbox 145 at the suffix proxy 140. Then, the code is analyzed and third-party content called by the script code (and subsequently added to the DOM) is removed.
- the suffix proxy 140 using the security sandbox 145 is configured to prevent access to URLs designated in a predefined blacklist, thereby blocking third-party content.
- the analysis of the code or any attempt to access third party content is performed in run-time as the code is loaded to the client device 130. The embodiments for analyzing the code and generating a new code respective are discussed in detail above.
- the suffix proxy 140 using the security sandbox 145 is configured to provide a DOM firewall that prevents websites from accessing certain features of the DOM and/or to perform certain operations on the client device 130.
- the actions/features that are restricted may include, for example, preventing a website from loading plugins or modifying the setting of the browser, blocking all cross domain accesses between the client device 130 and other domains, and blocking all asynchronous requests between the webpage and the web server.
- an alert is generated to the user of the operations that should be taken or are about to be taken. The user may be able to allow or deny any blocking operation.
- the security sandbox 145 is configured to encrypt fields included in a webpage rendered on the web browser. These fields may include, for example, text fields, combo boxes, and the like.
- an encryption key is generated by the security sandbox 145. The key is known only to the client device 130 and the security sandbox 145, but not to the cloud application 1 15. The encryption key is provided to the client device 130 through the new code injected to the webpage. As noted above, such code is sent to the browser from the security sandbox 145 upon analysis of a static webpage and/or when an inline script is sent to the security sandbox 145.
- any fields shown on the webpage can be encrypted.
- the encryption of the data (contents of the field) is performed at the client device 130 while the decryption is performed by the security sandbox 145.
- any encrypted data is intercepted by the security sandbox 145.
- all text insertions into the DOM are detected and text insertions of encrypted data are replaced with decrypted data (prior to insertion to the actual DOM).
- the original code (provided by the cloud-application 1 15) executed by the browser can access only encrypted data. If the code tries to read the decrypted data out of the DOM, the security sandbox 145 intercepts this attempt and encrypts the data back again.
- the suffix proxy 140 may reside in the cloud computing platform 1 10, a different cloud computing platform, or a connectable datacenter. Moreover, in an embodiment, there may be a plurality of suffix proxies 140 operating as described hereinabove and configured to either have one as a standby appliance to take control in a case of failure, or to share the load between them, or to split the functions between them. Furthermore, without departing from the scope of the disclosed embodiments, various functions of the suffix proxy 140 may be implemented by the managed network proxy 120.
- FIG. 2 shows an exemplary and non-limiting flowchart 200 illustrating a method for suffixing network addresses according to one embodiment.
- a webpage sent to a client device from a cloud-application is received.
- the webpage may be sent from an access proxy or any device in the line of traffic between the client device and the cloud application.
- the webpage is intercepted by a suffix proxy.
- a static network address designated in the received webpage is suffixed. That is, a predefined domain name suffix is added to the network address.
- the network address or addresses to be suffixed are determined based on a predefined list of URLs.
- a piece of code (JavaScript code) is injected into the webpage to later process scripts, code, or content files that are dynamically loaded to the webpage. Examples for such files include, for example, JavaScript, CSS, and the like.
- the modified webpage is relayed to the client device's browser.
- the rendering of the webpage on the client's browser may cause dynamic loading of content from a server (e.g., server running the cloud-application) to the webpage.
- a server e.g., server running the cloud-application
- any attempt to load such code is detected in order to allow, e.g., the security sandbox 145 to control the execution of the dynamic code, such as static script code, when the webpage is downloaded to the browser.
- any code that is dynamically loaded to the webpage is received.
- such code can be sent from the browser to the suffix proxy 140.
- the received code is cached for future usage.
- the received code is modified.
- S240 is performed by the suffix proxy. Specifically, the code modification is performed in such way that future dynamically loaded code will be modified during run-time and specific changes to the DOM can be intercepted in order to enforce suffixing of certain network address.
- the enforcing suffixing of network addresses includes suffixing writes of an address (URL) into the DOM with a predefined domain name and un-suffixing any reads of an address (URL) from the DOM.
- the code modification includes wrapping certain DOM elements.
- the modification of the code is performed using static hooking techniques discussed in detail above.
- Step S240 will result in a new code (an example for such new code is provided above).
- the new code is cached for future usage. The various embodiments of the caching mechanism are described above.
- the new code is sent to the client device for execution thereon. It should be noted that S230 and S240 are performed for any dynamic code, script, or file included in the webpage. It should be emphasized that steps S230 and S240 are performed completely during run-time.
- FIG. 3 shows an exemplary and non-limiting flowchart 300 illustrating a method for controlling changes to the DOM according to one embodiment.
- a webpage sent to a client device from a cloud-application is received.
- the webpage may be sent from an access proxy or any device in the line of traffic between the client device and the cloud application.
- the webpage is intercepted by the suffix proxy.
- a piece of code (e.g., JavaScript code) is injected into the webpage to later process scripts, code, or content files that are dynamically loaded to the webpage.
- the piece of code maintains an encryption key in the DOM of the webpage.
- the encryption key is known to the suffix proxy, but not to the cloud-application and/or a provider of the cloud platform.
- the modified webpage is sent to the client device.
- the injected piece of code together with the encryption key allow the user of the client device to encrypt any text field in the webpage.
- encrypted text fields inserted into the DOM are intercepted.
- the recognition of the encrypted text is performed, for example, by searching for a known encryption pattern.
- any identified encrypted text field is decrypted.
- the decrypted data of the identified encrypted text fields is inserted into the DOM.
- any code e.g., JavaScript code
- any attempt to read such data outside of the DOM is intercepted, for example, by the security sandbox 145. Therefore, the disclosed method for controlling changes to the DOM provides another layer of security to the cloud-application.
- Fig. 4 shows an exemplary and non-limiting block diagram of the suffix proxy 140 constructed according to one embodiment.
- the suffix proxy 140 may be deployed in cloud-computing platforms, data centers, or as a stand-alone network device.
- the suffix proxy 140 is configured to at least control and enforce access to cloud applications based on access policies described in greater detail above.
- the suffix proxy 140 includes a processing system 410 coupled to a memory 415, and a security sandbox module 420.
- the processing system 410 uses instructions stored in the memory 415 to control the operation of the suffix proxy 140.
- the processing system 410 may comprise or be a component of a larger processing system implemented with one or more processors.
- the one or more processors may be implemented with any combination of general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
- the processing system 410 may also include machine-readable media for storing software.
- Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system 410 to perform the various functions described herein.
- the security sandbox module 420 is configured to monitor any changes to the DOM, prevent access to the DOM, and suffix and un-suffix network addresses. As discussed in detail above, the operation of the security sandbox module 420 is performed in run-time, i.e., when the webpage is rendered on the web browser of a client device 130.
- the webpage is provided by the cloud-application 1 15.
- the operation of the security sandbox module 420 is discussed in detail above.
- the security sandbox module 420 can be realized as a processing unit having the various structural configurations discussed in detail above.
- the various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof.
- the software is preferably implemented as an application program tangibly embodied on a program storage unit or non-transitory computer readable medium consisting of parts, or of certain devices and/or a combination of devices.
- the application program may be uploaded to, and executed by, a machine comprising any suitable architecture.
- the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs"), a memory, and input/output interfaces.
- CPUs central processing units
- the computer platform may also include an operating system and microinstruction code.
- a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
- any reference to an element herein using a designation such as "first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise a set of elements comprises one or more elements.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Library & Information Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
Claims
Priority Applications (7)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP15839443.7A EP3069251A1 (en) | 2014-09-12 | 2015-09-11 | A cloud suffix proxy and methods thereof |
CA2931517A CA2931517A1 (en) | 2014-09-12 | 2015-09-11 | A cloud suffix proxy and methods thereof |
AU2015314899A AU2015314899A1 (en) | 2014-09-12 | 2015-09-11 | A cloud suffix proxy and methods thereof |
CN201580002873.9A CN105793826A (en) | 2014-09-12 | 2015-09-11 | A cloud suffix proxy and methods thereof |
JP2016539311A JP2017532615A (en) | 2014-09-12 | 2015-09-11 | Cloud suffix proxy and method |
IL245266A IL245266A0 (en) | 2014-09-12 | 2016-04-21 | A cloud suffix proxy and methods thereof |
PH12016500944A PH12016500944A1 (en) | 2014-09-12 | 2016-05-20 | A cloud suffix proxy and methods thereof |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201462049473P | 2014-09-12 | 2014-09-12 | |
US62/049,473 | 2014-09-12 | ||
US14/539,980 | 2014-11-12 | ||
US14/539,980 US9438565B2 (en) | 2013-11-11 | 2014-11-12 | Cloud service security broker and proxy |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016040753A1 true WO2016040753A1 (en) | 2016-03-17 |
Family
ID=55459596
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2015/049606 WO2016040753A1 (en) | 2014-09-12 | 2015-09-11 | A cloud suffix proxy and methods thereof |
Country Status (8)
Country | Link |
---|---|
EP (1) | EP3069251A1 (en) |
JP (1) | JP2017532615A (en) |
CN (1) | CN105793826A (en) |
AU (1) | AU2015314899A1 (en) |
CA (1) | CA2931517A1 (en) |
IL (1) | IL245266A0 (en) |
PH (1) | PH12016500944A1 (en) |
WO (1) | WO2016040753A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3413192A1 (en) * | 2017-06-08 | 2018-12-12 | HOB GmbH & Co. KG | Internet-based communication system |
WO2021108126A1 (en) * | 2019-11-25 | 2021-06-03 | Microsoft Technology Licensing, Llc | Security service |
WO2023275828A1 (en) * | 2021-06-30 | 2023-01-05 | Sony Group Corporation | Anti-piracy control based on blacklisting function |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108804916B (en) * | 2017-12-19 | 2022-01-28 | 安天科技集团股份有限公司 | Malicious file detection method and device, electronic equipment and storage medium |
CN109325192B (en) * | 2018-10-11 | 2021-11-23 | 网宿科技股份有限公司 | Advertisement anti-shielding method and device |
US10873644B1 (en) * | 2019-06-21 | 2020-12-22 | Microsoft Technology Licensing, Llc | Web application wrapper |
CN114816558B (en) * | 2022-03-07 | 2023-06-30 | 深圳市九州安域科技有限公司 | Script injection method, equipment and computer readable storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6397246B1 (en) * | 1998-11-13 | 2002-05-28 | International Business Machines Corporation | Method and system for processing document requests in a network system |
US20070016949A1 (en) * | 2005-07-15 | 2007-01-18 | Microsoft Corporation | Browser Protection Module |
US20100146260A1 (en) * | 2005-05-02 | 2010-06-10 | Barracuda Networks, Inc. | Tandem encryption connections to provide network traffic security method and apparatus |
US20120030294A1 (en) * | 2010-07-28 | 2012-02-02 | Openwave Systems Inc. | Method and system for link-triggered link-translating proxying |
WO2013091709A1 (en) * | 2011-12-22 | 2013-06-27 | Fundació Privada Barcelona Digital Centre Tecnologic | Method and apparatus for real-time dynamic transformation of the code of a web document |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9003552B2 (en) * | 2010-12-30 | 2015-04-07 | Ensighten, Inc. | Online privacy management |
US9460222B2 (en) * | 2012-05-17 | 2016-10-04 | Oracle International Corporation | System for rewriting dynamically generated uniform resource locators in proxied hyper text markup language content in accordance with proxy server rules |
-
2015
- 2015-09-11 WO PCT/US2015/049606 patent/WO2016040753A1/en active Application Filing
- 2015-09-11 CN CN201580002873.9A patent/CN105793826A/en active Pending
- 2015-09-11 AU AU2015314899A patent/AU2015314899A1/en not_active Abandoned
- 2015-09-11 EP EP15839443.7A patent/EP3069251A1/en not_active Withdrawn
- 2015-09-11 JP JP2016539311A patent/JP2017532615A/en active Pending
- 2015-09-11 CA CA2931517A patent/CA2931517A1/en not_active Abandoned
-
2016
- 2016-04-21 IL IL245266A patent/IL245266A0/en unknown
- 2016-05-20 PH PH12016500944A patent/PH12016500944A1/en unknown
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6397246B1 (en) * | 1998-11-13 | 2002-05-28 | International Business Machines Corporation | Method and system for processing document requests in a network system |
US20100146260A1 (en) * | 2005-05-02 | 2010-06-10 | Barracuda Networks, Inc. | Tandem encryption connections to provide network traffic security method and apparatus |
US20070016949A1 (en) * | 2005-07-15 | 2007-01-18 | Microsoft Corporation | Browser Protection Module |
US20120030294A1 (en) * | 2010-07-28 | 2012-02-02 | Openwave Systems Inc. | Method and system for link-triggered link-translating proxying |
WO2013091709A1 (en) * | 2011-12-22 | 2013-06-27 | Fundació Privada Barcelona Digital Centre Tecnologic | Method and apparatus for real-time dynamic transformation of the code of a web document |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3413192A1 (en) * | 2017-06-08 | 2018-12-12 | HOB GmbH & Co. KG | Internet-based communication system |
WO2021108126A1 (en) * | 2019-11-25 | 2021-06-03 | Microsoft Technology Licensing, Llc | Security service |
WO2023275828A1 (en) * | 2021-06-30 | 2023-01-05 | Sony Group Corporation | Anti-piracy control based on blacklisting function |
Also Published As
Publication number | Publication date |
---|---|
CA2931517A1 (en) | 2016-03-17 |
PH12016500944A1 (en) | 2016-07-11 |
AU2015314899A1 (en) | 2016-05-19 |
IL245266A0 (en) | 2016-06-30 |
JP2017532615A (en) | 2017-11-02 |
EP3069251A1 (en) | 2016-09-21 |
CN105793826A (en) | 2016-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10642600B2 (en) | Cloud suffix proxy and a method thereof | |
US11593484B2 (en) | Proactive browser content analysis | |
US10592676B2 (en) | Application security service | |
US10200403B2 (en) | Secure browsing via a transparent network proxy | |
US9544318B2 (en) | HTML security gateway | |
EP3069251A1 (en) | A cloud suffix proxy and methods thereof | |
US8832836B2 (en) | Systems and methods for malware detection and scanning | |
US10747787B2 (en) | Web cookie virtualization | |
US10951588B2 (en) | Object property getter and setter for clientless VPN | |
US10474729B2 (en) | Delayed encoding of resource identifiers | |
US11194914B2 (en) | Method and apparatus to detect security vulnerabilities in a web application | |
US20180205705A1 (en) | Network request proxy system and method | |
US20200034489A1 (en) | Encoding-free javascript stringify for clientless vpn | |
US11200367B2 (en) | Secure inter-frame communication | |
US11314834B2 (en) | Delayed encoding of resource identifiers | |
Kerschbaumer et al. | Towards precise and efficient information flow control in web browsers | |
US8676884B2 (en) | Security configuration | |
Marengereke et al. | Cloud based security solution for android smartphones | |
De Groef et al. | Better security and privacy for web browsers: A survey of techniques, and a new implementation | |
Malwade | Virtual Browser | |
JP2013069254A (en) | Provision of technology to limit communication from web browser | |
Mendoza et al. | Using Client-Side JavaScript to Mitigate Drive-by-Downloads |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 245266 Country of ref document: IL |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15839443 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2015839443 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015839443 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2015314899 Country of ref document: AU Date of ref document: 20150911 Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12016500944 Country of ref document: PH |
|
ENP | Entry into the national phase |
Ref document number: 2931517 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2016539311 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |