Categorizing Service Worker Attacks and Mitigations

by   Karthika Subramani, et al.

Service Workers (SWs) are a powerful feature at the core of Progressive Web Apps, namely web applications that can continue to function when the user's device is offline and that have access to device sensors and capabilities previously accessible only by native applications. During the past few years, researchers have found a number of ways in which SWs may be abused to achieve different malicious purposes. For instance, SWs may be abused to build a web-based botnet, launch DDoS attacks, or perform cryptomining; they may be hijacked to create persistent cross-site scripting (XSS) attacks; they may be leveraged in the context of side-channel attacks to compromise users' privacy; or they may be abused for phishing or social engineering attacks using web push notifications-based malvertising. In this paper, we reproduce and analyze known attack vectors related to SWs and explore new abuse paths that have not previously been considered. We systematize the attacks into different categories, and then analyze whether, how, and estimate when these attacks have been published and mitigated by different browser vendors. Then, we discuss a number of open SW security problems that are currently unmitigated, and propose SW behavior monitoring approaches and new browser policies that we believe should be implemented by browsers to further improve SW security. Furthermore, we implement a proof-of-concept version of several policies in the Chromium code base, and also measure the behavior of SWs used by highly popular web applications with respect to these new policies. Our measurements show that it should be feasible to implement and enforce stricter SW security policies without a significant impact on most legitimate production SWs.


page 1

page 2

page 3

page 4


Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks

In a Cross-Origin State Inference (COSI) attack, an attacker convinces a...

BlackWatch: Increasing Attack Awareness Within Web Applications

Web applications are relied upon by many for the services they provide. ...

Exploiting ML algorithms for Efficient Detection and Prevention of JavaScript-XSS Attacks in Android Based Hybrid Applications

The development and analysis of mobile applications in term of security ...

Be Daring to Push your Ads Forward: Measuring the (Over)use of Service Workers for Advertising Purposes

Rich offline experience, periodic background sync, push notification fun...

CorbFuzz: Checking Browser Security Policies with Fuzzing

Browsers use security policies to block malicious behaviors. Cross-Origi...

Information Leaks via Safari's Intelligent Tracking Prevention

Intelligent Tracking Prevention (ITP) is a privacy mechanism implemented...

Tricking LLMs into Disobedience: Understanding, Analyzing, and Preventing Jailbreaks

Recent explorations with commercial Large Language Models (LLMs) have sh...

Please sign up or login with your details

Forgot password? Click here to reset