Talks and Poster Presentations (with Proceedings-Entry):
M. Squarcina, S. Calzavara, M. Maffei:
"The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches";
Talk: 15th IEEE Workshop on Offensive Technologies,
San Francisco, CA, USA;
2021-05-27; in: "IEEE Security and Privacy Workshops",
(2021),
432
- 443.
English abstract:
Service workers boost the user experience of modern web applications by taking advantage of the Cache API to improve responsiveness and support offline usage. In this paper, we present the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications. In particular, we show how a traditional XSS attack can abuse the Cache API to escalate into a person-in-the-middle attack against cached content, thus compromising its confidentiality and integrity. Remarkably, this attack enables new threats which are beyond the scope of traditional XSS. After defining the attack, we study its prevalence in the wild, finding that the large majority of the sites which register service workers using the Cache API are vulnerable as long as a single webpage in the same origin of the service worker is affected by an XSS. Finally, we propose a browser-side countermeasure against this attack, and we analyze its effectiveness and practicality in terms of security benefits and backward compatibility with existing web applications.
Keywords:
web, security, novel attack, large-scale study, service worker
"Official" electronic version of the publication (accessed through its Digital Object Identifier - DOI)
http://dx.doi.org/10.1109/SPW53761.2021.00062
Electronic version of the publication:
https://publik.tuwien.ac.at/files/publik_296700.pdf
Created from the Publication Database of the Vienna University of Technology.