Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PWA as a New Cyber Attack Vector

PWA as a New Cyber Attack Vector

Progressive Web Apps - one of the hottest topics of last years. It is populated by big companies and become competition for native applications. The main API for PWA creation is Service Workers. But have you thought about it as a possible browsers vulnerability? Is it secure enough? Should users use it carefully? All those questions are very actual in times when almost all vendors have implemented or put in development Service Workers support.

Vitalii Bobrov

May 10, 2018

More Decks by Vitalii Bobrov

Other Decks in Programming


  1. PWA as a New Cyber Attack Vector

  2. @bobrov1989 Vitalii Bobrov • tech experimentator • more than 5

    years in front-end • open-source contributor • mentor https:/ /vitaliy-bobrov.github.io/
  3. What are you, PWA?

  4. –MDN “PWA use modern web APIs along with progressive enhancement

    strategy to create cross-platform web apps… …provide several features that give them the same UX advantages as native apps. ” https:/ /developer.mozilla.org/en-US/Apps/Progressive
  5. Features • offline capabilities • notifications • background sync •

    real app experience
  6. Service Worker The ❤ and of PWA

  7. What are you, Service Worker?

  8. Service Worker is an event-driven worker playing as a proxy

    middleware Browser SW Network
  9. Availability ?

  10. Possibilities • executed in separate thread • could intercept all

    app requests • access to cache storage • could live without browser
  11. Responsibility Use the FORCE in the RIGHT way

  12. Security Restrictions • requires HTTPS • served from same origin

    • executes in limited SW context • terminated after job completion
  13. SW lifecycle No Service Worker Install Active Error Idle Terminated

    Fetch / Message
  14. Installation Hidden UX

  15. None
  16. None
  17. chrome:/ /inspect/#service-workers

  18. chrome:/ /serviceworker-internals/

  19. Unregister

  20. Unregister

  21. Register by link XSS + JSONP + Service Worker

  22. JSONP for XSS • my-domain.com/jsonp?callback=myCallback • no XHR • <script>

    === Same Origin Policy doesn’t apply • myCallback in global scope
  23. Service Worker makes XSS attack persistent https:/ /c0nradsc0rner.wordpress.com/2016/06/17/xss-persistence-using-jsonp-and-serviceworkers/ https:/ /www.owasp.org/images/3/35/2017-04-20-JSONPXSS.pdf

  24. Example

  25. Decoded & Formatted

  26. HTTP Interceptor ALL Requests Controlled by

  27. https:/ /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

  28. https:/ /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

  29. https:/ /jakearchibald.github.io/isserviceworkerready/demos/fetchevent/

  30. Service Worker could kill browser extensions

  31. None
  32. Modify uploads & downloads

  33. None
  34. Use Web Assembly to perform modifications ⚡ fast

  35. https:/ /medium.com/@kennethrohde/on-the-fly-webp-decoding-using-wasm-and-a-service-worker-33e519d8c21e

  36. Use Resources perform computing on remote machine

  37. http:/ /hub.kotofabrika.com/

  38. https:/ /coinhive.com/

  39. None
  40. https:/ /github.com/cazala/coin-hive

  41. Allows to compute without browser

  42. “Wakeup” APIs • SyncManager • PushManager • postMessage

  43. None
  44. Thank you! @bobrov1989 https:/ /vitaliy-bobrov.github.io/