Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PWA as a New Cyber Attack Vector

Vitalii Bobrov
May 10, 2018
Programming
1
470

PWA as a New Cyber Attack Vector

Progressive Web Apps - one of the hottest topics of last years. It is populated by big companies and become competition for native applications. The main API for PWA creation is Service Workers. But have you thought about it as a possible browsers vulnerability? Is it secure enough? Should users use it carefully? All those questions are very actual in times when almost all vendors have implemented or put in development Service Workers support.

Vitalii Bobrov

May 10, 2018
Tweet

More Decks by Vitalii Bobrov

See All by Vitalii Bobrov
Listen to UI: Making Apps Accessible
bobrov1989
0
31
The Future of Audio Processing in the Web
bobrov1989
0
110
Job Behind the Scene: Web Worker
bobrov1989
0
74
Running in Parallel: WebAssembly, Web Workers and Worklets
bobrov1989
0
190
Algorithms and Their Habitat
bobrov1989
0
150
WebAssembly-driven CSS
bobrov1989
2
160
Angular State Management with NgRx Workshop
bobrov1989
0
100
The Man who Sold the Amp: How to Process Music with JS
bobrov1989
1
270
No Apollogies: Making Apps Accessible
bobrov1989
1
200

Other Decks in Programming

See All in Programming
pixivアプリでマルチモジュールを実現するまで
gatosyocora
1
130
品質とスピードを両立: TypeScriptの柔軟な型システムをバックエンドで活用する
kosui
8
2.2k
今の SmartHR にエンジニアで入社するとどうなるの?
daisukeshinoku
5
4.6k
スクラムチームと認知負荷 - ニフティのスクラムトーク Vol2. / NIFTY Tech Talk #18
niftycorp
PRO
1
120
両面どころかインフラもTSでできるよ ~ 全方位TypeScriptによるプロダクト開発 ~
myfinder
9
3.2k
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
170
CircleCIを活用して AWSへの継続的デリバリーを 実践する
coconala_engineer
1
230
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
870
せっかくモデル図描くのなら、 嬉しいことが多い方がいいよね!
kuboaki
1
3.1k
Folding Cheat Sheet #3
philipschwarz
PRO
0
110
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
ログラスを支える設計標準について / loglass-design-standards
urmot
10
2.1k

Featured

See All Featured
Gamification - CAS2011
davidbonilla
76
4.6k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Large-scale JavaScript Application Architecture
addyosmani
503
110k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
16
6.3k
A better future with KSS
kneath
230
16k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
The Cult of Friendly URLs
andyhume
73
5.7k
Code Review Best Practice
trishagee
54
15k
Fontdeck: Realign not Redesign
paulrobertlloyd
75
4.9k
Mobile First: as difficult as doing things right
swwweet
216
8.6k

Transcript

  1. PWA as a New Cyber Attack Vector

  2. @bobrov1989 Vitalii Bobrov • tech experimentator • more than 5

    years in front-end • open-source contributor • mentor https:/ /vitaliy-bobrov.github.io/

  3. What are you, PWA?

  4. –MDN “PWA use modern web APIs along with progressive enhancement

    strategy to create cross-platform web apps… …provide several features that give them the same UX advantages as native apps. ” https:/ /developer.mozilla.org/en-US/Apps/Progressive

  5. Features • offline capabilities • notifications • background sync •

    real app experience

  6. Service Worker The ❤ and of PWA

  7. What are you, Service Worker?

  8. Service Worker is an event-driven worker playing as a proxy

    middleware Browser SW Network

  9. Availability ?

  10. Possibilities • executed in separate thread • could intercept all

    app requests • access to cache storage • could live without browser

  11. Responsibility Use the FORCE in the RIGHT way

  12. Security Restrictions • requires HTTPS • served from same origin

    • executes in limited SW context • terminated after job completion

  13. SW lifecycle No Service Worker Install Active Error Idle Terminated

    Fetch / Message

  14. Installation Hidden UX

  15. None
  16. None

  17. chrome:/ /inspect/#service-workers

  18. chrome:/ /serviceworker-internals/

  19. Unregister

  20. Unregister

  21. Register by link XSS + JSONP + Service Worker

  22. JSONP for XSS • my-domain.com/jsonp?callback=myCallback • no XHR • <script>

    === Same Origin Policy doesn’t apply • myCallback in global scope

  23. Service Worker makes XSS attack persistent https:/ /c0nradsc0rner.wordpress.com/2016/06/17/xss-persistence-using-jsonp-and-serviceworkers/ https:/ /www.owasp.org/images/3/35/2017-04-20-JSONPXSS.pdf

  24. Example

  25. Decoded & Formatted

  26. HTTP Interceptor ALL Requests Controlled by

  27. https:/ /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

  28. https:/ /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

  29. https:/ /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

  30. Service Worker could kill browser extensions

  31. None

  32. Modify uploads & downloads

  33. None

  34. Use Web Assembly to perform modifications ⚡ fast

  35. https:/ /medium.com/@kennethrohde/on-the-fly-webp-decoding-using-wasm-and-a-service-worker-33e519d8c21e

  36. Use Resources perform computing on remote machine

  37. http:/ /hub.kotofabrika.com/

  38. https:/ /coinhive.com/

  39. None

  40. https:/ /github.com/cazala/coin-hive

  41. Allows to compute without browser

  42. “Wakeup” APIs • SyncManager • PushManager • postMessage

  43. None

  44. Thank you! @bobrov1989 https:/ /vitaliy-bobrov.github.io/