This document summarizes ways that service workers can be abused to compromise websites. It discusses how uploading a malicious service worker and using an existing cross-site scripting (XSS) vulnerability, an attacker can modify responses, persist XSS attacks, conduct denial of service attacks, and conduct phishing. It also describes how data can be leaked from sandboxed domains if an XSS is present. Potential mitigations discussed include enforcing service worker scope, real user monitoring, and monitoring service worker registration events.
Researcher : Adam Baldwin
Conference Presented : DEFCON 20
Flavor of cross site scripting, where the attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database, or in a log file).
Ajax [Asunchronous HTTP request ] - A Deep Introduction About Ajax Technology - Lets Take a Glance About Ajax ,Where it's use | Whats the purpose of Ajax in Web Application Developement . Bacis of Ajax Technology + Coding Tips ..
Researcher : Adam Baldwin
Conference Presented : DEFCON 20
Flavor of cross site scripting, where the attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database, or in a log file).
Ajax [Asunchronous HTTP request ] - A Deep Introduction About Ajax Technology - Lets Take a Glance About Ajax ,Where it's use | Whats the purpose of Ajax in Web Application Developement . Bacis of Ajax Technology + Coding Tips ..
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Bill Condo
Today the average website loads more than 1.5MB of assets including images, scripts and other external data. This causes frustrating delays for site visitors and often leads to abandoned visits. As mobile data is expensive in many developing countries, cost for each page view is also significant consideration.
A number of tools exist to help optimize sites and we’ll introduce and setup a private instance of the popular WebPagetest tool. WPT covers load time, web server compression and caching settings, and timeline based screen shots through the duration of the page load.
JSFest 2019: Technology agnostic microservices at SPA frontendVlad Fedosov
We'll go through the possible ways to bring technology agnostic microservice architecture to the frontend, review pros/cons of each of them. We also will check the "ultimate solution" that handles microservices with SSR in SPA manner.
This talk will be interesting for ones who have multiple teams working on the same frontend application.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Performance Testing w/ WebPage Test Private Instance (DrupalCamp Ohio)Bill Condo
Today the average website loads more than 1.5MB of assets including images, scripts and other external data. This causes frustrating delays for site visitors and often leads to abandoned visits. As mobile data is expensive in many developing countries, cost for each page view is also significant consideration.
A number of tools exist to help optimize sites and we’ll introduce and setup a private instance of the popular WebPagetest tool. WPT covers load time, web server compression and caching settings, and timeline based screen shots through the duration of the page load.
JSFest 2019: Technology agnostic microservices at SPA frontendVlad Fedosov
We'll go through the possible ways to bring technology agnostic microservice architecture to the frontend, review pros/cons of each of them. We also will check the "ultimate solution" that handles microservices with SSR in SPA manner.
This talk will be interesting for ones who have multiple teams working on the same frontend application.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
We'll go through the possible ways to bring technology agnostic microservice architecture to the frontend, review pros/cons of each of them. We also will check the "ultimate solution" that handles microservices with SSR in SPA manner.
This talk will be interesting for ones who have multiple teams working on the same frontend application.
This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation.
Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.
Security Best Practices for Bot BuildersMax Feldman
Explore common web application vulnerabilities bot builders should know. You’ll learn how to locate and prevent these vulnerabilities, and you’ll come away with best practices for building bots your customers can trust. For Slack getting started guides: https://www.api.slack.com
Learn how Decisiv provides secure access to developers and deals with compliance hurdles. Senior Engineer Hunter Madison will talk about how Decisiv needed to quickly solve the pain of scaling the engineering team, migrating to AWS, maintaining ISO 27002 compliance, and a few of his key learnings from his two-year journey using Teleport.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
PyGrunn2013 High Performance Web Applications with TurboGearsAlessandro Molina
Users are getting more and more used to fast websites, a second or two is way too much before they leave the page. Since version 2.2 TurboGears has focused on providing more tools to create faster web applications and improving its speed constantly. The latest 2.3 version, the first to support Python3 is up to 4x faster than the previous and provides a great toolset to make fast pages. The talk will focus on showcasing the tools provided by the framework to increase speed of your web applications and provide some tips and tricks to get maximum speed from the framework itself.
ServiceWorker: New game changer is coming!Chang W. Doh
I believe ServiceWorker is one of most important specifications for the next web world. Offline and its technologies are very friendly concepts to native application developers. But, now I think front-end developers have to know that for stepping into new paradigm. With ServiceWorker, you can make your web application can run offline, and it also means you can make your web application load extremely fast.
I've told about ServiceWorker very briefly in this slide. But you can understand how ServiceWorker runs on. If you want to know its usage, I highly recommend Topeka, which is a polymer demo application at google I/O 2014, that also includes material design and ServiceWorker in inside of it.
If you want to know ServiceWorker some more or in detail, I'd like to recommend to read the following, written by Jungkee Song, one of authors of this spec.
http://www.slideshare.net/jungkees/service-workers
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
Large websites with large customer bases should have fast page loads no matter where your customers are coming from. In this day and age speed is expected. Getting there requires engineers to both have data and the ability to analyze and find problems.
This talk will address page load speed in two parts. A "cold" load where a user first comes to your site and a "warm" load which deals with intra-site page load speed. We will dive into the details of each page load and what is really going on. From network optimization to browser render performance, all things matter when it comes to optimizing the load of your web page. Furthermore, we will look into some tools that can be used to analyze and help developers discover and address problems.
Similar to At Your Service - Abusing the Service Workers Web API (20)
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
6. Web Workers API
● “Web Workers are a simple means for web content to run scripts in
background threads.” (from MDN)
● Most of the standard features are available
○ No direct DOM manipulation
○ Must be same origin
13. The Scope
● Crucial concept of Service Workers.
● Determines from which path the Service Worker (SW) will be activated
● Defines the activation condition for the service worker.
14. The Scope
● By default - it is the path where the service worker JavaScript file
resides.
● Can be easily reduced (/profile/ instead of /)
● Can be increased (requires the response header - Service-Worker-
Allowed)
Failed Success
15. Scope Gotcha’s #1
● If there are 2 registered service workers under the same scope, the most
recently registered one will be activated.
● If there are 2 registered service workers on overlapping scope, the
innermost will be activated.
○ / vs /uploads when visiting /uploads/files
16. Scope Gotcha’s #2
● A service worker can load other scripts using the importScripts function
○ This is how we can load our malicious SW while maintaining the original SW
functional
● Has to be installed on same origin
17. Installation
● Once the browsers registers a SW, the install event occurs.
● Also occurs when SW is new / changed.
18. Activation
● Once the installation was successful, the “activate” event occurs.
● Opened pages are not controlled by the SW (must be reloaded).
○ Can be overridden by using the self.clients.claim function
19. Fetch
● Fires every time a resource is requested
● Control over what is being sent / received.
○ Headers
○ Status
○ Body
20. Where to find them?
● Developer tools
● chrome://serviceworker-internals
23. General Scenario Requirements
All of the following scenarios depend on the following:
● The website has a file upload functionality.
○ We can upload arbitrary JavaScript files there (and retrieve them).
● There’s an XSS vulnerability in the app
○ We can inject JavaScript code in the context of the victims browser.
All of the scenarios abuse the fact that we can attach to the fetch event (of
the service worker) to manipulate requested resources.
24. • Upload the malicious
service worker to the
website
Upload
• Using our XSS we
register the malicious
service worker
Trigger • Attach to the fetch
event.
• We can modify the
response of
requested resources.
PWN
Response Modification
26. • Upload the
malicious service
worker to the
website
Upload
• Using our XSS we
register the
malicious service
worker
Trigger
• Reinject our
code
• Expand our
scope
PWN
XSS Persistency
Response Modification
27.
28. • Upload the
malicious service
worker to the
website
Upload
• Using our XSS we
register the
malicious service
worker
Trigger
• Deny every
requested
resource
PWN
Denial of Service
Response Modification
29.
30. • Upload the
malicious service
worker to the
website
Upload
• Using our XSS we
register the
malicious service
worker
Trigger
• Serve
alternate
content.
PWN
Phishing / Defacement
Response Modification
33. What Are Sandbox Domains?
● Generally host various types of files
● Ment to isolate user uploaded content from the main application
● Are different than the main application domain
● Files on the sandboxed domain are usually publicly available
34. What Are Sandbox Domains?
● The file names are heavily obfuscated / random (does not resemble the
file content or owner)
○ /super-random-and-unique-path-1337
● Many vendors tend to ignore XSS findings in those domains since no
cookies are shared among the sandboxed domain and the main
application domain, like
● google.com vs googleusercontent.com
● facebook.com vs fbcdn.com
● etc.
35. Data Leakage from Sandboxed Domains
Consider the following scenario:
● There's a website called “bsides-photos.com” which handles sensitive
information
● The uploaded sensitive data is stored in a sandboxed domain called
“bsides-photos-sbx.com”
● There is an XSS in the sandboxed domain (boring, right?)
36. Data Leakage from Sandboxed Domains
bsides-photos-sbx.combsides-photos.com
43. Enhancing Self XSS
In this scenario we have:
● File upload functionality.
● A self XSS finding (low impact) on the /profile page.
○ A XSS that is triggered only on pages that are visible to us.
● Login / logout CSRF
○ Login and logout functions are not protected by CSRF tokens.
○ An attacker can force login/logout the victim.
Enhancing Self XSS
48. Caveats
Although this scenario looks promising, we are bounded under the following
restrictions:
● Service Worker scope - if the uploaded service worker resides deeper in
the page tree than the page we want to inspect, we won’t have effect on
it.
○ Since the service worker won’t be activated there.
● Mime Type - the uploaded file must be served with the correct mime
type for JavaScript files “application/javascript”
50. Scope Enforcement
● Set the uploaded files depth deeper in the tree.
● In sandboxed domain - pick unique path hierarchy for every file
○ Timestamp / random-string dependent
● Refrain from using “/” as the scope (Service-Worker-Allowed response
header)
○ Which allows global activation of the service worker
● Monitor requests with “Service-Worker” header (appended on register).
Mitigations
51. RUM (Real User Monitoring)
● RUM (real user monitoring) is a passive monitoring technique that
records all the user interaction with the web application.
● It can be used to measure your clients web experience.
● When we observe a very poor performance on a specific client, one of
the reasons could be DOS via Service Worker.
Mitigations
52. Browser Events Monitoring
● Monitor the navigator.serviceWorker.register function for new
unauthorized register events.
Mitigations
53. Past Work on SW
Prior Research
● Shadow Workers - https://github.com/shadow-workers/shadow-workers
● Marionet Attackd - https://love2dev.com/pwa/marionet-attack/
Guides
● Service Worker 101 -
https://developers.google.com/web/fundamentals/primers/service-workers/
● FAQ - https://dev.chromium.org/Home/chromium-security/security-faq/service-
worker-security-faq
Vulnerabilities
● %2f Vuln - https://alf.nu/ServiceWorker
● CSRF - https://ahussam.me/Amazon-leaking-csrf-token-using-service-worker/
54. Key
Takeaways
Service workers can be
useful for web application
They can also cause
mayhem
Sandboxed domains could
be not that sandboxed
6 months ago
Morning discussion
Brainstormed on how to take low-med attacks and combine them into
Meaningful high impact attack
This is where this research was born
Were going to talk about
How SW API can enhance those low-med attacks into
High impact, featureful attack
Abuse scenarios
Mitigations
Browser run JS
JS is single threaded
Every tab has a thread – main thread
On extreme load on the main thread we want responsive UI
Delegate to other threads
Web Workers API
Main:
// init new worker
let worker = new Worker('worker.js');
// handle the message event
worker.addEventListener('message', (e) => {
console.log(e);
})
// post some data
postMessage({ name: 'BsidesLV' });
Worker:
// handle the message event
addEventListener('message', (e)=>{
// print out the data
console.log(e.data);
// send it back to the main thread
postMessage(e.data);
});
Web Workers are bounded the a single page
They have to be registered every time
Expensive load time
Type of web worker (no DOM)
Proxy
Scope
Lifespan
Supported on most browsers
IE is still behind (like always)
Include a script tag inside the page
Tells the browser where the SW is
Returns a promise, when resolved
Scope is logged
The Browser only completes the register is the SW is new/updated
Actual File (not in memory)
https://carbon.now.sh/?bg=rgba(171%2C%20184%2C%20195%2C%201)&t=monokai&wt=none&l=javascript&ds=true&dsyoff=20px&dsblur=68px&wc=true&wa=true&pv=0px&ph=0px&ln=true&fm=Hack&fs=18px&lh=142%25&si=false&es=4x&wm=false&code=%252F%252F%2520main.js%250A%250Anavigator.serviceWorker.register(%27%252Fsw.js%27)%250A%2520%2520.then((reg)%2520%253D%253E%2520%257B%250A%2509console.log(%2560Registered!%2520Scope%253A%2520%2524%257Breg.scope%257D%2560)%250A%2520%2520%2520%257D)%253B
Default
We set the scope to /profile/
The SW will control /profile/*
NOT for higher
https://carbon.now.sh/?bg=rgba(171%2C%20184%2C%20195%2C%201)&t=monokai&wt=none&l=javascript&ds=true&dsyoff=20px&dsblur=68px&wc=true&wa=true&pv=0px&ph=0px&ln=true&fm=Hack&fs=18px&lh=142%25&si=false&es=4x&wm=false&code=%252F%252F%2520main.js%250A%250Anavigator.serviceWorker.register(%27%252Fsw.js%27%252C%2520%257B%250A%2509scope%253A%2520%27%252Fprofile%252F%27%250A%257D)%253B
Good for caching
https://carbon.now.sh/?bg=rgba(171%2C%20184%2C%20195%2C%201)&t=monokai&wt=none&l=javascript&ds=true&dsyoff=20px&dsblur=68px&wc=true&wa=true&pv=0px&ph=0px&ln=true&fm=Hack&fs=18px&lh=142%25&si=false&es=4x&wm=false&code=%252F%252F%2520sw.js%250A%250Aself.addEventListener(%27install%27%252C%2520(event)%2520%253D%253E%2520%257B%250A%2509%252F%252F%2520handle%2520installation%250A%257D)%253B
Cleanup stale data
https://carbon.now.sh/?bg=rgba(171%2C%20184%2C%20195%2C%201)&t=monokai&wt=none&l=javascript&ds=true&dsyoff=20px&dsblur=68px&wc=true&wa=true&pv=0px&ph=0px&ln=true&fm=Hack&fs=18px&lh=142%25&si=false&es=4x&wm=false&code=%252F%252F%2520sw.js%250A%250Aself.addEventListener(%27activate%27%252C%2520(event)%2520%253D%253E%2520%257B%250A%2509%252F%252F%2520handle%2520activation%252C%2520like%2520cleanup%2520of%2520old%2520SW%250A%257D)%253B
Can respond also with cache
https://carbon.now.sh/?bg=rgba(171%2C%20184%2C%20195%2C%201)&t=monokai&wt=none&l=javascript&ds=true&dsyoff=20px&dsblur=68px&wc=true&wa=true&pv=0px&ph=0px&ln=true&fm=Hack&fs=18px&lh=142%25&si=false&es=4x&wm=false&code=%252F%252F%2520sw.js%250A%250Aself.addEventListener(%27fetch%27%252C%2520(event)%2520%253D%253E%2520%257B%250A%2520%2520%2509console.log(%2560URL%253A%2520%2524%257Bevent.request.url%257D%2560)%253B%250A%2520%2520%250A%2509event.respondWith(%250A%2509%2509fetch(event.request)%253B%250A%2520%2520%2520%2520)%253B%250A%257D)%253B
Visit a page w/o XSS
Go to vuln page w/ XSS
XSS triggered
SW installed
Back to page
YES XSS!
Go to page w/ some data
No SW
Trigger XSS
Register SW
Go to page
No data
SW responds 404 on that page
Go to login page
See that is successful
Trigger XSS
Install SW
Installed verified
Reload page
Login again
Submitted to malicious website
Theres a website X that holds sensitive photoss
Those photos are not hosted directly on X rather on Y (which is sandboxed)
First, we upload the SW to the website (trivial since its sandbox)
Then, we trigger the XSS on the victim
Installs the SW
Now, when the victim visits X and previews and image, the request is being made under the Y domain
The service worker kicks in
URL leaked
Go to gallery
See Images
Trigger XSS
Install SW
Back to gallery
Show
Upload
We upload the malicious SW to the sandboxed domain
Trigger
Using the XSS we register the SW
Activate
On every page under the scope, the SW is activated
Leak
Leak the image
First, we upload the SW to the website (trivial since its sandbox)
The victim goes to our page
The page has an iframe
Logout
Login (attacker creds)
Redirect to the actual site
Trigger XSS
Install SW
Login as victim
Show Victim
Visiting attacker domain
logout
login
redirect
Login as Victim (again)
PWN