Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 1 of 165 PageID #: 189
`Case 1:23-cv-00758-GBW Documenti12-1 Filed 09/01/23 Page 1 of 165 PagelD #: 189
`
`EXHIBIT A
`
` EXHIBIT A
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 2 of 165 PageID #: 190
`ee"NTTTT
`
`US010324702B2
`
`a2) United States Patent
`US 10,324,702 B2
`(0) Patent No.:
`Vishnepolskyetal.
`Jun. 18, 2019
`(45) Date of Patent:
`
`CLOUD SUFFIX PROXY AND A METHOD
`THEREOF
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(54)
`
`(71)
`
`(72)
`
`Applicant: Adallom Technologies Ltd., Tel Aviv
`(IL)
`
`Inventors: Gregory Vishnepolsky, Rehovot (IL);
`Liran Moysi, Ramat Gan (IL)
`
`(73)
`
`Assignee:
`
`MICROSOFT ISRAEL RESEARCH
`
`AND DEVELOPMENT(2002) LTD.,
`Matam Haifa (IL)
`
`(*)
`
`Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 483 days.
`
`(21)
`
`Appl. No.: 14/847,469
`
`(22)
`
`Filed:
`
`Sep. 8, 2015
`
`(65)
`
`(63)
`
`Prior Publication Data
`
`US 2016/0077824 Al
`
`Mar. 17, 2016
`
`Related U.S. Application Data
`
`Continuation-in-part of application No. 14/539,980,
`filed on Nov. 12, 2014, now Pat. No. 9,438,565.
`(Continued)
`
`(51)
`
`Int. Cl.
`
`GO6F 9/44
`G06F 8/65
`
`(52)
`
`USS. Cl.
`
`(2018.01)
`(2018.01)
`(Continued)
`
`CPC wee GO06F 8/65 (2013.01); GO6F 16/958
`(2019.01); GO6F 17/2247 (2013.01);
`(Continued)
`Field of Classification Search
`None
`
`(58)
`
`6,397,246 Bl
`7,571,217 Bl
`
`5/2002 Wolfe
`8/2009 Saxena
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`JP
`JP
`
`2006526843 A
`2009289206 A
`
`11/2006
`12/2009
`
`(Continued)
`
`OTHER PUBLICATIONS
`
`“Final Office Action Issued in U.S. Appl. No. 14/539,980”, dated.
`Dec. 8, 2015, 13 Pages.
`
`(Continued)
`
`Primary Examiner — Insun Kang
`(74) Attorney, Agent, or Firm — M&B IP Analysts, LLC.
`
`(57)
`
`ABSTRACT
`
`A method and system for modifying network addresses of at
`least one cloud application. The method comprises receiving
`a webpagesent to a client device from the at least one cloud
`application, wherein a webpage designates at least one script
`loadedto the client device during runtime; injecting a piece
`of code to the webpage; receiving, by the injected piece of
`code, an attempt to load each of the at least one script;
`modifying the at least one script by suffixing each network
`address designated in the at least one script with a predefined
`network address; and sending the modified at least one script
`to the client device, wherein runtime execution of the
`modified at least one script on the client device causes
`redirection of future requests from the client device to the
`cloud application to the suffixed network address.
`
`See application file for complete search history.
`
`33 Claims, 4 Drawing Sheets
`
` 100
`Client Device 130-1
`Client Device 130-N
`
`Security
`Sandbox
`145
`
`eee
`
`Security
`Sandbox
`145
`
`110
`
`
`>
`
`|
`
`
`
`120
`
` Cloud
`Application
`
`
`115
`
`
`
`
`
`Suffix Proxy
`|
`' Security
`140
`' Sandbox !
`
`Managed
`Network
`Proxy
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 3 of 165 PageID #: 191
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 3 of 165 PagelD #: 191
`
`US 10,324,702 B2
`Page 2
`
`Related U.S. Application Data
`
`(60) Provisional application No. 62/049,473, filed on Sep.
`12, 2014.
`
`(51)
`
`(2013.01)
`(2006.01)
`(2019.01)
`(2006.01)
`(2006.01)
`
`Int. Cl.
`GO6F 21/53
`GO6F 17/22
`GO6F 16/958
`HOAL 29/08
`HOAL 29/12
`(52) U.S. Cl
`CPC veseeeecseeen GO6F 21/53 (2013.01); HOAL 67/02
`(2013.01); HO4L 67/1002 (2013.01); HO4L
`67/2814 (2013.01); HO4L 61/301 (2013.01);
`HO4L 61/3055 (2013.01)
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`7,873,707 B1*
`
`7,958,232 Bl
`8,543,726 BL*
`
`8,856,869 Bl
`8,938,800 B2
`9,137,131 Bl
`9,154,479 BL
`9,369,437 B2*
`9,391,832 BL*
`9,438,625 BL*
`2006/0117388 Al
`2007/0016949 Al*
`
`2007/0180510 Al
`2008/0177691 Al
`2009/0077369 A1*
`
`2009/0083726 Al*
`
`1/2011 Subramanian .... GO6F 17/30887
`709/219
`
`6/2011 Colton et al.
`9/2013 Kann we. HO4L 63/0281
`709/219
`
`10/2014 Brinskelle
`1/2015 Bhargavaet al.
`9/2015 Sarukkaietal.
`10/2015 Sethi
`6/2016 Holloway........... HO4L 63/1416
`
`7/2016 Song we HO4L 29/14
`9/2016 Yang occ HO4L 63/1441
`6/2006 Nelsonet al.
`1/2007 Dunagan .............. GO6F 21/51
`726/22
`
`8/2007 Longet al.
`7/2008 Alperovitch et al.
`3/2009 Fujimaki ......0.... GO6F 17/212
`713/100
`3/2009 Amend .........0. HO04L 63/105
`TTI7L
`
`8/2009 Blum et al.
`2009/0217354 Al
`10/2009 Jungcketal.
`2009/0262741 Al
`11/2009 Dingetal.
`2009/0289206 Al
`4/2010 Jungcket al.
`2010/0103837 Al
`6/2010 Levow et al.
`2010/0146260 Al
`6/2010 Holostovet al.
`2010/0162346 Al
`2010/0313183 A1* 12/2010 Ellen wo G06Q 30/02
`TL7/110
`
`2010/0325357 Al
`2011/0029613 Al
`2011/0131478 Al*
`
`2011/0208838 Al
`2011/0257810 Al
`2011/0289434 Al
`2011/0289588 Al
`2012/0023160 Al
`2012/0030294 Al*
`
`2012/0036576 A1*
`
`2012/0116896 Al*
`
`2012/0137210 Al*
`
`2012/0174236 Al*
`
`2012/0278872 Al
`2013/0073609 Al*
`
`2013/0097706 Al
`2013/0097711 Al
`2013/0196396 Al
`
`12/2010 Reddyet al.
`2/2011 Hedditch
`6/2011 Tock wo HO04L 63/0823
`715/208
`
`8/2011 Thomaset al.
`10/2011 Leger
`11/2011 Kieft
`11/2011 Sahai etal.
`1/2012 Marmor
`2/2012 Piernot «0.0.0... GO06F 17/30902
`709/206
`2/2012 Tyer wee GO06F 21/554
`726/23
`5/2012 Holloway........... HO4L 61/1511
`705/14.73
`5/2012 Dillon ww. GO06F 17/30902
`715/234
`7/2012 Goodwin «0.0... HO4L 63/102
`726/27
`
`11/2012 Woelfel et al.
`3/2013 Connolly ......... GO6F 15/16
`709/203
`
`4/2013 Titonis et al.
`4/2013 Basavapatnaet al.
`8/2013 Beesonetal.
`
`2013/0212689 Al*
`
`8/2013 Ben-Natan ............. HO4L 63/20
`726/26
`2013/0276136 Al* 10/2013 Goodwin .........0.. HO4L 67/22
`726/27
`2013/0311863 Al* 11/2013 Gutkin .......0.. GO6F 17/30887
`715/208
`
`2013/0347094 Al
`2014/0020072 Al
`2014/0032759 Al
`2014/0109175 Al
`2014/0137273 Al
`2014/0173415 Al*
`
`2014/0201524 Al
`2014/0237545 Al
`2014/0282464 Al*
`
`2014/0282518 Al
`2014/0283000 Al
`2014/0344332 AL*
`
`2015/0066575 Al
`2015/0088968 AL*
`
`2016/0119344 A1l*
`
`2016/0330172 Al
`2017/0116349 Al*
`2017/0163675 AL*
`
`12/2013 Bettini et al.
`1/2014 Thomas
`1/2014 Barton etal.
`4/2014 Bartonetal.
`5/2014 Workman
`6/2014 Kattil Cherian .. GO6F 17/30861
`715/234
`
`7/2014 Dittrich
`8/2014 Mylavarapu et al.
`9/2014 El-Gillani 0... GO6F 8/61
`717/168
`
`9/2014 Banerjee
`9/2014 Radhakrishnan
`11/2014 Giebler ........ HO4L 67/2823
`709/203
`
`3/2015 Baikalovetal.
`3/2015 Wei wc nee HO4L 67/10
`709/203
`4/2016 Freitas Fortuna dos Santos ........
`HO4L 63/1466
`726/7
`
`11/2016 Muttik
`4/2017 Steiner... GO6F 17/30902
`6/2017 Warman .............. HO4L 63/1425
`
`FOREIGN PATENT DOCUMENTS
`
`JP
`JP
`JP
`WO
`WO
`WO
`
`2011511974 A
`2011257810 A
`2013196396 A
`2011094807 Al
`2012063282 Al
`2013091709 Al
`
`4/2011
`12/2011
`9/2013
`8/2011
`5/2012
`6/2013
`
`OTHER PUBLICATIONS
`
`“International Search Report and Written Opinion Issued in PCT
`Application No. PCT/US2015/049606”, dated Feb. 25, 2016, 7
`Pages.
`“Non-Final Office Action Issued in U.S. Appl. No. 14/539,980”,
`dated Jan. 26, 2015, 9 Pages.
`“Notice of Allowance Issued in U.S. Appl. No. 14/539,980”, dated.
`May 16, 2016, 4 Pages.
`“Notice of Allowance Issued in U.S. Appl. No. 14/539,980”, dated.
`May 4, 2016, 12 Pages.
`Magazinius, et al., “Architectures for Inlining Security Monitors in
`Web Applications”, In Proceedings of 6th International Symposium
`on Engineering Secure Software and Systems, Feb. 26, 2014, 18
`Pages.
`“Non Final Office Action Issued in U.S. Appl. No. 14/968,432”,
`dated Sep. 22, 2016, 17 Pages.
`“Supplementary Search Report Issued in European Patent Applica-
`tion No. 14860194.1”, dated May 31, 2017, 7 Pages.
`“Non-Final Office Action Issued in U.S. Appl. No. 14/968,432”,
`dated Jul. 28, 2017, 18 Pages.
`Patent Cooperation Treaty International Search Report and Written
`Opinion for PCT/US2014/065305, ISA/US, Alexandria, VA., dated.
`Mar. 3, 2015.
`“Final Office Action Issued in U.S. Appl. No. 14/968,432”, dated.
`Mar. 23, 2017, 21 Pages.
`“Office Action Issued in Australia Patent Application No. 2014346390”,
`dated Mar. 15, 2018, 3 Pages.
`“Office Action Issued in Colombian Patent Application No. 16-139041”,
`dated Nov. 24, 2017, 17 Pages.
`“Office Action Issued in Chile Patent Application No. 1116-2016”,
`dated Jan. 26, 2018, 9 Pages.
`“Office Action Issued in Mexican Patent Application No. MX/a/
`2016/006109”, dated Nov. 29, 2017, 2 pages. (W/o English Trans-
`lation).
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 4 of 165 PageID #: 192
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 4 of 165 PagelD #: 192
`
`US 10,324,702 B2
`Page 3
`
`(56)
`
`References Cited
`OTHER PUBLICATIONS
`
`“Non Final Office Action Issued in U.S. Appl. No. 14/968,432”,
`dated Feb. 5, 2018, 19 Pages.
`“Office Action Issued in Japanese Patent Application No. 2016-
`530954”, dated Sep. 28, 2018, 4 Pages.
`“Office Action Issued in Chile Patent Application No. 1116-2016”,
`dated Jul. 3, 2018, 12 Pages.
`“Office Action Issued in Russian Patent Application No. 2016117971”,
`dated Jul. 9, 2018, 5 Pages.
`“Office Action Issued in Chinese Patent Application No. 201480061802.
`1”, dated Aug. 3, 2018, 11 Pages.
`“Second Office Action Issued in Chinese Patent Application No.
`201480061802.1”, dated Mar. 14, 2019, 7 Pages.
`“Supplementary Examination Report Issued in Singapore Patent
`Application No. 11201603471X”, dated Mar. 20, 2019, 3 Pages.
`
`* cited by examiner
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 5 of 165 PageID #: 193
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 5 of 165 PagelD #: 193
`
`U.S. Patent
`
`Jun. 18, 2019
`
`Sheet 1 of 4
`
`US 10,324,702 B2
`
`Client Device 130-N
`
`
`
`
`
`
`Security
`Sandbox
`145
`
`
`
`
`
`
`100
`
`>
`
`Client Device 130-1
`
`
`
` Security
`eon
`Sandbox
`145
`
`110
`
`Cloud
`Application
`415
`
`
`Suffix Proxy
`1 Sandbox ; 140
`
`' Security
`|
`
`
`
` Managed
`Network
`
`Proxy
`120
`
`
`FIG. 1
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 6 of 165 PageID #: 194
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 6 of 165 PagelD #: 194
`
`U.S. Patent
`
`Jun. 18, 2019
`
`Sheet 2 of 4
`
`US 10,324,702 B2
`
`START
`
`$210
`
`Receive a webpage sent toa
`client device
`
`$220
`
`Suffix a static network
`address designated in the
`
`received webpage
`
`$225
`
` Inject a piece of codeinto the
`
`webpage
`
`$230
`
` Receive any code dynamically
`
`loaded to the webpage
`
`S240
`
`Modify the received code
`
`Send new code to the client device
`
`$250
`
`FIG. 2
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 7 of 165 PageID #: 195
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 7 of 165 PagelD #: 195
`
`U.S. Patent
`
`Jun. 18, 2019
`
`Sheet 3 of 4
`
`US 10,324,702 B2
`
`300
`
`START
`
`$310
`
`Receive a webpage sent toa
`client device
`
`Inject a piece of code into
`
`$320
`
`the webpage
` Sent the modified webpage to
`
`$330
`
`the client device
`
`$340
`
`
`
`Intercept encrypted text fields
`inserted into the DOM
`
`
` Decrypt any identified encrypted
`
`text fields
`
`$350
`
`$360
`
`Insert decrypted data of the
`identified encrypted text fields
`into the DOM
`
`
`
`
`
`END
`
`FIG. 3
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 8 of 165 PageID #: 196
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 8 of 165 PagelD #: 196
`
`U.S. Patent
`
`Jun. 18, 2019
`
`Sheet 4 of 4
`
`US 10,324,702 B2
`
`140
`
`Processing
`system
`410
`
`420
`
`Security
`Sandbox
`module
`
`Fig. 4
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 9 of 165 PageID #: 197
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 9 of 165 PagelD #: 197
`
`US 10,324,702 B2
`
`1
`CLOUD SUFFIX PROXY AND A METHOD
`THEREOF
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`2
`It would therefore be advantageousto provide a solution
`that would overcomethe deficiencies of the prior art tech-
`niques for capture and reconstruction of HTTPtraffic.
`
`SUMMARY
`
`This application claims the benefit of U.S. Provisional
`Application No. 62/049,473 filed on Sep. 12, 2014. This
`application is also a continuation-in-part of U.S. patent
`application Ser. No. 14/539,980 filed on Nov. 12, 2014, the
`contents of which are hereby incorporated by reference.
`
`TECHNICAL FIELD
`
`This application relates generally to securing communi-
`cations networks and systems by monitoring and securing
`communications, in particular by use of a suffix proxy.
`
`BACKGROUND
`
`In recent years more and more providers offer the ability
`to create computing environments in the cloud. For example,
`Amazon Web Services™(also known as AWS)launchedin
`2006 a service that provides users with the ability to con-
`figure an entire environment
`tailored to an application
`executed over a cloud platform. In general, such services
`allow for developing scalable applications in which com-
`puting resourcesare utilized to support efficient execution of
`the application.
`Organizations and businesses that develop, provide, or
`otherwise maintain cloud-based applications have become
`accustomedto rely on these services and implement various
`types of environments from complex websites to applica-
`tions and services provided as a software-as-service (SaaS)
`delivery model. Such services and applications are collec-
`tively referred to as “cloud applications.”
`Cloud applications are typically accessed by users using
`a client device via a web browser. Cloud applications
`include, among others, e-commerce applications, social
`media applications, enterprise applications, gaming applica-
`tions, media sharing applications, storage applications, soft-
`ware developmentapplications, and so on. Manyindividual
`users, businesses, and enterprises turn to cloud applications
`in lieu of “traditional” software applications that are locally
`installed and managed. For example, an enterprise can use
`Office® 365 online services for email accounts, rather than
`having an Exchange® Server maintained by the enterprise.
`Enterprises are increasingly adopting cloud-based SaaS
`offerings. These services are subject
`to varied network
`security risks. Known systems for securing these networks
`operate by inspecting traffic between servers operating the
`SaaS and the endpoint operated by a user. These known
`network security systemstypically require complex configu-
`ration of the endpoint which increases system complexity.
`Furthermore, in many cases, the endpoint may not be
`under the complete control of the enterprise, may be entirely
`unmanaged, or otherwise unconfigurable. In addition to the
`difficulties inherent in configuring and administering a user-
`controlled endpoint, it is difficult to ensuretraffic captivation
`for an entire session when network addresses are generated
`dynamically.
`In addition, modern web/cloud applications, such as the
`Google® Appsplatform,utilize a large amountof client side
`code (JavaScript). This can make a suffix proxy implemen-
`tation much more challenging, as basic proxy functions are
`insufficient and further intervention in the client side code is
`
`required.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`A summary of several example embodiments of the
`disclosure follows. This summary is provided for the con-
`venience of the reader to provide a basic understanding of
`such embodiments and does not wholly define the breadth of
`the disclosure. This summary is not an extensive overview
`of all contemplated embodiments, and is intended to neither
`identify key or critical elements of all embodiments nor
`delineate the scope of any or all embodiments.
`Its sole
`purposeis to present some concepts of one or more embodi-
`ments in a simplified form as a prelude to the more detailed
`description that is presented later. For convenience, the term
`some embodiments may be used herein to refer to a single
`embodiment or multiple embodiments of the disclosure.
`Some embodiments of the disclosure relate to a method
`
`least one cloud
`for modifying network addresses of at
`application. The method comprises receiving a webpage
`sent to a client device from the at least one cloud application,
`wherein a webpage designates at least one script loaded to
`the client device during runtime; injecting a piece of code to
`the webpage; receiving, by the injected piece of code, an
`attempt to load each ofthe at least one script; modifying the
`at least one script by suffixing each network address desig-
`nated in the at least one script with a predefined network
`address; and sending the modified at least one script to the
`client device, wherein runtime execution of the modified at
`least one script on the client device causes redirection of
`future requests from the client device to the cloud applica-
`tion to the suffixed network address.
`Some embodiments of the disclosure relate to a system for
`modifying network addresses of at least one cloud applica-
`tion. The system comprises a processor; and a memory
`containing instructions that, when executed by the proces-
`sor, configure the system to: receive a webpage sent to a
`client device from the at least one cloud application, wherein
`a webpage designates at least one script loaded to the client
`device during runtime; inject a piece of code to the webpage;
`receive, by the injected piece of code, an attempt to load
`each ofthe at least one script; modify the at least one script
`by suffixing each network address designated in the at least
`one script with a predefined network address; and send the
`modified at least one script to the client device, wherein
`runtime execution of the modified at least one script on the
`client device causes redirection of future requests from the
`client device to the cloud applicationto the suffixed network
`address.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`The subject matter disclosed herein is particularly pointed
`out and distinctly claimed in the claimsat the conclusion of
`the specification. The foregoing and other objects, features,
`and advantagesof the disclosed embodiments will be appar-
`ent from the following detailed description taken in con-
`junction with the accompanying drawings.
`FIG. 1 is a diagram of a networked system utilized to
`describe the various disclosed embodiments.
`
`FIG. 2 is a flowchart illustrating the operation of the
`security sandbox according to one embodiment.
`FIG.3 is a flowchart illustrating a method for controlling
`changes to the DOM according to one embodiment.
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 10 of 165 PageID #: 198
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 10 of 165 PagelD #: 198
`
`3
`FIG.4 is a block diagram of a suffix proxy implemented
`according to an embodiment.
`
`4
`110. Specifically, the managed network proxy 120 can be
`used to intercept, monitor, modify, and forward network
`communicationstraffic between client devices 130 and the
`
`US 10,324,702 B2
`
`DETAILED DESCRIPTION
`
`cloud computing platform 110.
`The managed network proxy 120 can be configured to
`detect and mitigate network threats against the cloud appli-
`It is important to note that the embodiments disclosed
`cations 115 and/or the infrastructure of the cloud computing
`herein are only examples of the many advantageous uses of
`platform 110. As non-limiting examples, the managed net-
`the innovative teachings herein.In general, statements made
`work proxy 120 can be configured to notify of suspicious
`in the specification of the present application do not neces-
`networktraffic and behavior; block threats; perform appli-
`sarily limit any of the various claimed embodiments. More-
`cation control, URLfiltering, and malwareprotection on the
`over, some statements may apply to someinventive features
`network traffic; establish visibility to application layer
`but not to others. In general, unless otherwise indicated,
`parameters (e.g.,
`list of users, devices,
`locations, etc.);
`singular elements may be in plural and vice versa with no
`generate profiles of users using the cloud applications 115;
`loss of generality. In the drawings, like numeralsreferto like
`provide alerts on specific or predefined events; generate
`parts through several views.
`audit logs; and so on. The architecture and operation of the
`By a way of example, the various disclosed embodiments
`managed network proxy 120 is discussed in U.S. patent
`can be configured to operate on network traffic between a
`application Ser. No. 14/539,980 assigned to the common
`network-based software as a service (SaaS) provider and a
`assignee, and incorporated herein by reference.
`client. As will be discussed in greater detail below,
`the
`According to certain embodiments, the suffix proxy 140 is
`disclosed embodiments allow for non-intrusive suffixing and
`configured to keep URLs and web accesses of a proxied
`un-suffixing of network addresses directed to the SaaS
`webpage within the hold of the managed network proxy 120.
`provider.
`That is, the modifications performed by the suffix proxy 140
`FIG. 1 is an exemplary and non-limiting diagram of a
`for a request to access a webpage of the cloud application
`networked system 100 utilized to describe the various dis-
`closed embodiments. The networked system 100 includes a
`115 allow directing subsequenttraffic to the managed net-
`
`cloud computing platform 110 which maybeaprivate cloud, work proxy 120.
`a public cloud, or a hybrid cloud providing computing
`In an embodiment, the suffix proxy 140 can be configured
`resources to applications or services executed therein. In an
`to inspect the network traffic and detect cloud-based appli-
`embodiment, the cloud computing platform 110 may be of
`cation’s 115 addresses. Examples
`for
`such addresses
`a SaaS platform.
`include, for example, uniform resource locators (URLs),
`Organizations and businesses that develop, provide, or
`uniform resource identifiers (URIs), and so on. As non-
`otherwise maintain cloud based applications have become
`limiting examples,
`the suffix proxy 140 can decompile,
`accustomed to relying on these services and implementing
`deconstruct, or disassemble networktraflic for inspection.
`various types of environments from complex websites to
`In an embodiment, the suffix proxy 140 can be configured
`applications and services provided as SaaS delivery models.
`to modify webpages and codes (e.g., JavaScript) executed
`Such services and applicationsare collectively referred to as
`therein and on the cloud-computing platform 110, so that no
`“cloud applications 115”.
`network addresses are provided to the client device 130 that
`would direct the client device 130 to access the cloud
`Cloud applications 115 are typically accessed by users
`using a client device via a web browser. Cloud applications
`115 include, among others, e-commerce applications, social
`media applications, enterprise applications, gaming applica-
`tions, media sharing applications, storage applications, soft-
`ware developmentapplications, and so on. Manyindividual
`users, businesses, and enterprises turn to cloud applications
`in lieu of “traditional” software applications that are locally
`installed and managed. For example, an enterprise can use
`Office® 365 online services for email accounts, rather than
`having an Exchange® Server maintained by the enterprise.
`The networked system 100 further includes a managed
`network proxy 120, client devices 130-1 through 130-N, and
`a suffix proxy 140 that are communicatively connected to a
`network 150. The network 150 may be, for example, a wide
`area network (WAN), a local area network (LAN),
`the
`Internet, and the like. Each of the client devices 130 may
`include, for example, a personal computer, a laptop, a tablet
`computer, a smartphone, a wearable computing device, or
`any other computing device.
`The client devices 130 are configured to access the one or
`more cloud applications 115 executed in the cloud comput-
`ing platform 110. A client device 130 may be a managed
`device or unmanaged device. A manageddeviceis typically
`secured by an IT personnel of an organization, while an
`unmanaged device is not. Referring to the above example,
`the work computer is a managed device while the home
`computer is an unmanaged device.
`The managed network proxy 120 is configured to secure
`any orall traffic and activities in a cloud computing platform
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`If such a network address is
`application 115 directly.
`detected, the suffix proxy 140 is configured to rewrite that
`address, for example, appending a predefined domain name
`to the original network address. The added domain name
`may refer or redirect the browser to the managed network
`proxy 120. For example, the URL (network address) http://
`www.somesite.com would be accessed through http://ww-
`w.somesite.com.network-proxy-service.com.
`Various
`embodiments for rewriting network address are disclosed
`below.
`The suffix proxy 140 can be configured to modify any
`content, including webpages, sent from the cloud application
`115. The suffix proxy 140 can be configured to inspect
`and/or decompile any content to identify any referred pages
`and/or URLspresentin the content and rewrite those URLs.
`As non-limiting examples, file types processed can include
`HTML or JavaScript and responses can include zipped
`responses or chunked responses.
`for URLs
`In one embodiment,
`for static webpages,
`embedded in such webpages a predefined suflix domain
`name is added. To this end, the suffix proxy 140 is config-
`ured to parse HTML webpages and replace the URLs
`detected using the regular expressions. A static webpage is
`a webpage that does not contain client-executable script
`(e.g., JavaScript) code.
`in order to suflix
`According to another embodiment,
`network addresses in a dynamic webpage, the suffix proxy
`140 is configured to analyze and modify code or scripts
`being loaded to a browser of the client device 130. For
`
`

`

`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 11 of 165 PageID #: 199
`Case 1:23-cv-00758-GBW Document 12-1 Filed 09/01/23 Page 11 of 165 PagelD #: 199
`
`US 10,324,702 B2
`
`5
`example, JavaScript can be modified by the suffix proxy 140
`to wrap any potential generation of network addresses that
`would directly access the cloud application 115. If direct
`access addresses are identified,
`the script and/or content
`generated by the script can be modified to rewrite the
`address to refer to the managed network proxy 120.
`In an embodiment, the suffix proxy 140 is configured to
`provide a security sandbox which is a runtime component
`executed over the client device 130. Certain function of the
`
`security sandbox can be performed in the suffix proxy. The
`security sandboxis labeled as a security sandbox 145. In an
`embodiment,
`the security sandbox 145 is configured to
`prevent access to the document object model (DOM) of a
`webpage. In particular, the security sandbox 145 prevents
`any access and modification to the DOM during run-time of
`the script. It should be noted that
`the operation of the
`security sandbox 145 to prevent access to the DOM does not
`require any installation of any software, such as plugins,
`add-ons, and the like in the client device 130 and/or the
`browser.
`
`Typically, a browser on a client device 130 can execute a
`script (e.g., JavaScript) that would change the DOM of a
`webpage during run-time. As a result, it is possible for the
`client device’s 130 browser to create or modify DOM
`elements with un-suffixed URLs. In order to prevent such
`action, the security sandbox 145, and hencethe suffix proxy
`140, are configuredto restrict the access of any embedded or
`loaded script code to the DOM.
`In an embodiment, the nature of the restriction can be
`such that changes to URLs in the DOM,byanoriginal script
`executed in the webpage, are monitored by the security
`sandbox 145. The script code monitoring by the suffix proxy
`140 can be invoked for read and write accesses to DOM
`elements. That is, writes of a URL into the DOMare suffixed
`with the predefined domain name, and reads of a URL from
`the DOMare un-suffixed. As a result, there can be separation
`between the URLs seen by “user” code (e.g.,
`the web-
`applications code) and the browseritself (the DOM,andthe
`JavaScript representation of it). As a result,
`the original
`script code can be effectively maintained and controlled by
`the security sandbox 145 and any communication with the
`original server (around the proxy) is prevented. It should be
`noted that an original script is any script embedded in the
`webpage not dynamically loaded to the webpage.
`In certain configurations, a script can be loaded to a
`webpageafter the webpageis rendered on the browser. Such
`a script is downloaded from a server (originally configured
`to serve the page) using any of several forms, including
`inline scripts inside HTML pages and any code, script, or
`contentfiles. Examples for such files include, for example,
`JavaScript, Cascading Style Sheets (CSS), and thelike.
`Typically, the browserof a client device 130 first loads the
`main HTML page, and then subsequently loads all refer-
`enced and inline scripts. Additional, scripts can also be
`loaded dynamically by the web application, using,
`for
`example, the ‘eval’ statement.
`Because dynamic code loading is initially performed by
`the statically loaded code (or, once loaded, other dynamic
`code), the security sandbox 145 can take control of execu-
`tion by modifying the static script code when the webpage
`is downloaded to the browser. The modifications to the code
`can be performed in such way that future dynamically
`loaded code will be modified during run-time and specific
`changes to the DOM canbeintercepted in order to enforce
`suffixing of certain URLs. This allows the webpage to
`remain under the control of the suffix proxy 140.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`In an embodiment, the suffix proxy 140 and the security
`sandbox 145 are configured to modify the dynamic loaded
`code. The loaded code is received at the suffix proxy 140
`which is configured to analyze the code to determine all
`elements that potentially (explicitly or implicitly) contain,
`point, or otherwise refer to network addresses (URLs), and
`replace and/or wrap elements within code that enforces
`sufiixing of the network addresses. The new script code is
`loaded at the client device’s 130 browser. In some embodi-
`
`ments, caching of script codes can be employed to improve
`performance. The sandbox 145 during run-time resolves the
`wrappers in order to enforce suffix and un-sufhix of network
`addresses. As noted above, enforcing suffix or network
`addresses includes suffixing writes of an address (e.g., a
`URL) into the DOM with a predefined domain name, and
`un-suffixing any reads of an address from the DOM.
`As non-limiting examples, at least the following DOM
`elements and properties can be wrapped during the creation
`of the new script code:
`Properties of HTML elements that contain URLs, such as
`“TFRAME”, “STYLE”, “LINK”, “IMG”, “AUDIO”, “A”,
`“FORM”, “BASE” and “SCRIPT”, with the properties:
`“sre”, “href” and “action”. The getAttribute and setAttribute
`methods of these elements can also be used to set the
`
`aforementioned properties.
`Properties of HTML elements that can contain a DOM
`sub-tree(i.e., more HTML). For such elements, the “append-
`Child” method can be used to add elements (and code)
`dynamically and the “innerHTML”property can be used to
`add extra code.
`
`Properties of the “document” object may contain URLs or
`Hostnames, such as “cookie” and “domain” (both can con-
`tain the origin domain of the window). The “write” method
`can be used to add elements and code to the page.
`An “open” method of XMLHttpRequest objects contains
`a request URL. An “origin” property of “MessageEvent”
`objects contains the origin hostname. Methods and proper-
`ties of the “Window”object contain “location”, “postMes-
`sage’, “eval”, and “execScript”. The “location”redirects the
`frame to another URL or determines the current location of
`
`the frame. The “postMessage” method has an origin argu-
`ment. The “eval” and “execScript” properties are used to
`load code dynamically. Other such elements and properties
`exist, and any orall of them can be wrapped.
`In an embodiment, the wrapping of a DOM element, and
`thus the creation of a new code, is performed using static
`hooking of the code. In a non-limiting implantation, the
`static hooking includes: processing and extracting inline
`scripts in the HTML code of a webpage. Then, any script
`code is converted to a syntax tree, such as an Abstract Syntax
`Tree (AST). In an exemplary embodiment, the AST can be
`generated using the Mozilla® parser. The syntax tree is
`recursively traversed and calls to wrappers are inserted in
`certain nodes of the tree to allow for hooking. Finally, the
`new code is created from the modified nodes (with the
`inserted class) and sentto the client device’s 130 browser. In
`an embodiment, the new created code can be cached for
`further usage.
`It should be noted that the inserted wrappers can allow for
`DOMchangesto be intercepted during run-time. The wrap-
`pers can be applied to cover any or all potential DOM
`accesses. As non-limiting examples, the wrappers can be
`applied (inserted) to someorall the following syntax tree
`(AST) nodes:
`‘MemberExpression’,
`‘Identifier’, ‘Assign-
`mentExpression’, and ‘CallExpression’. For MemberEx-
`pression nodesany potential accesses to object properties of
`DOMobjects, subscription op