PWA as a New Cyber Attack Vector

PWA as a New Cyber Attack Vector

Progressive Web Apps - one of the hottest topics of last years. It is populated by big companies and become competition for native applications. The main API for PWA creation is Service Workers. But have you thought about it as a possible browsers vulnerability? Is it secure enough? Should users use it carefully? All those questions are very actual in times when almost all vendors have implemented or put in development Service Workers support.

4f0880beebecf17d29eb709246055e14?s=128

Vitalii Bobrov

May 10, 2018
Tweet

Transcript

  1. 2.

    @bobrov1989 Vitalii Bobrov • tech experimentator • more than 5

    years in front-end • open-source contributor • mentor https:/ /vitaliy-bobrov.github.io/
  2. 4.

    –MDN “PWA use modern web APIs along with progressive enhancement

    strategy to create cross-platform web apps… …provide several features that give them the same UX advantages as native apps. ” https:/ /developer.mozilla.org/en-US/Apps/Progressive
  3. 10.

    Possibilities • executed in separate thread • could intercept all

    app requests • access to cache storage • could live without browser
  4. 12.

    Security Restrictions • requires HTTPS • served from same origin

    • executes in limited SW context • terminated after job completion
  5. 15.
  6. 16.
  7. 22.

    JSONP for XSS • my-domain.com/jsonp?callback=myCallback • no XHR • <script>

    === Same Origin Policy doesn’t apply • myCallback in global scope
  8. 24.
  9. 31.
  10. 33.
  11. 39.
  12. 43.