{"title":"一个甜蜜的postMessage,但一个苦涩的心:利用postMessage在Service worker中的推送服务","authors":"Yeomin Jeong, Woonghee Lee, Junbeom Hur","doi":"10.1145/3579856.3590342","DOIUrl":null,"url":null,"abstract":"Progressive web app (PWA) is a kind of web apps, which is designed to enhance users’ browsing experience by combining the advantages of a web app’s reachability and a native app’s diverse functionalities. PWA sites have a special JavaScript file, service worker, which is executed in a different thread from the browser’s main page. It thus can support unique functionalities such as offline usage and push service even after the browser is closed. Because of these features, the service worker has been a main target of many web attacks such as a DDOS attack, or abused to generate illegal sites such as darknet sites. However, previous attacks exploiting the push service have limitations in that they need the pre-installation of a malicious service worker or only can passively utilize the existing push notification from the legitimate site (e.g., hijacking the push notification to track users’ location). In this study, we propose a novel crafted postMessage attack (CPA) using the postMessage() method, which leverages the benign service worker’s push service by exploiting the cross-site scripting (XSS) vulnerability. Unlike the previous attacks, CPA attackers can actively craft push notifications for imitating the legitimate site or enticing victims with a honeyed message. Besides, CPA attackers can sniff users’ personal interest (e.g., subscription states as well as browsing histories), and even unsubscribe them to block the receipt of the push notification from the legitimate site. To assess the real-world prevalence of the vulnerability causing CPA, we conduct a measurement study on popular PWA sites based on Tranco list by collecting a total of 9,005 PWA sites from the top 200k sites using a service worker. As a result, we found 376 sites among them are still vulnerable to the XSS attack, and 16 sites out of those 376 sites are vulnerable to our attack in total. We estimated the number of potential victims of CPA, and it turned out that up to 6.5 M users per month are susceptible to our attack. Based on our findings, we discuss the root cause of the vulnerabilities and practical mitigations of our attack.","PeriodicalId":156082,"journal":{"name":"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security","volume":"32 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage\",\"authors\":\"Yeomin Jeong, Woonghee Lee, Junbeom Hur\",\"doi\":\"10.1145/3579856.3590342\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Progressive web app (PWA) is a kind of web apps, which is designed to enhance users’ browsing experience by combining the advantages of a web app’s reachability and a native app’s diverse functionalities. PWA sites have a special JavaScript file, service worker, which is executed in a different thread from the browser’s main page. It thus can support unique functionalities such as offline usage and push service even after the browser is closed. Because of these features, the service worker has been a main target of many web attacks such as a DDOS attack, or abused to generate illegal sites such as darknet sites. However, previous attacks exploiting the push service have limitations in that they need the pre-installation of a malicious service worker or only can passively utilize the existing push notification from the legitimate site (e.g., hijacking the push notification to track users’ location). In this study, we propose a novel crafted postMessage attack (CPA) using the postMessage() method, which leverages the benign service worker’s push service by exploiting the cross-site scripting (XSS) vulnerability. Unlike the previous attacks, CPA attackers can actively craft push notifications for imitating the legitimate site or enticing victims with a honeyed message. Besides, CPA attackers can sniff users’ personal interest (e.g., subscription states as well as browsing histories), and even unsubscribe them to block the receipt of the push notification from the legitimate site. To assess the real-world prevalence of the vulnerability causing CPA, we conduct a measurement study on popular PWA sites based on Tranco list by collecting a total of 9,005 PWA sites from the top 200k sites using a service worker. As a result, we found 376 sites among them are still vulnerable to the XSS attack, and 16 sites out of those 376 sites are vulnerable to our attack in total. We estimated the number of potential victims of CPA, and it turned out that up to 6.5 M users per month are susceptible to our attack. Based on our findings, we discuss the root cause of the vulnerabilities and practical mitigations of our attack.\",\"PeriodicalId\":156082,\"journal\":{\"name\":\"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security\",\"volume\":\"32 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-07-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3579856.3590342\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3579856.3590342","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
摘要
渐进式网络应用(Progressive web app, PWA)是一种网络应用,它结合了网络应用的可达性优势和原生应用的多样化功能,旨在增强用户的浏览体验。PWA站点有一个特殊的JavaScript文件service worker,它在与浏览器主页不同的线程中执行。因此,它可以支持独特的功能,如离线使用和推送服务,甚至在浏览器关闭后。由于这些特性,service worker已经成为许多网络攻击(如DDOS攻击)的主要目标,或者被滥用来生成非法网站(如暗网网站)。然而,以前利用推送服务的攻击有局限性,因为它们需要预先安装恶意服务工作者,或者只能被动地利用来自合法站点的现有推送通知(例如,劫持推送通知来跟踪用户的位置)。在本研究中,我们提出了一种使用postMessage()方法的新型精心制作的postMessage攻击(CPA),该方法通过利用跨站点脚本(XSS)漏洞利用良性service worker的推送服务。与之前的攻击不同,CPA攻击者可以主动制作推送通知,模仿合法网站或用甜言蜜语引诱受害者。此外,CPA攻击者可以嗅探用户的个人兴趣(例如订阅状态和浏览历史),甚至取消订阅以阻止收到来自合法站点的推送通知。为了评估导致CPA的漏洞在现实世界中的流行程度,我们基于Tranco列表对流行的PWA站点进行了测量研究,使用service worker从前20万个站点中收集了9,005个PWA站点。结果,我们发现其中376个站点仍然容易受到XSS攻击,这376个站点中总共有16个站点容易受到我们的攻击。我们估计了CPA的潜在受害者数量,结果显示每月有多达650万用户容易受到我们的攻击。根据我们的发现,我们讨论了漏洞的根本原因和攻击的实际缓解措施。
A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage
Progressive web app (PWA) is a kind of web apps, which is designed to enhance users’ browsing experience by combining the advantages of a web app’s reachability and a native app’s diverse functionalities. PWA sites have a special JavaScript file, service worker, which is executed in a different thread from the browser’s main page. It thus can support unique functionalities such as offline usage and push service even after the browser is closed. Because of these features, the service worker has been a main target of many web attacks such as a DDOS attack, or abused to generate illegal sites such as darknet sites. However, previous attacks exploiting the push service have limitations in that they need the pre-installation of a malicious service worker or only can passively utilize the existing push notification from the legitimate site (e.g., hijacking the push notification to track users’ location). In this study, we propose a novel crafted postMessage attack (CPA) using the postMessage() method, which leverages the benign service worker’s push service by exploiting the cross-site scripting (XSS) vulnerability. Unlike the previous attacks, CPA attackers can actively craft push notifications for imitating the legitimate site or enticing victims with a honeyed message. Besides, CPA attackers can sniff users’ personal interest (e.g., subscription states as well as browsing histories), and even unsubscribe them to block the receipt of the push notification from the legitimate site. To assess the real-world prevalence of the vulnerability causing CPA, we conduct a measurement study on popular PWA sites based on Tranco list by collecting a total of 9,005 PWA sites from the top 200k sites using a service worker. As a result, we found 376 sites among them are still vulnerable to the XSS attack, and 16 sites out of those 376 sites are vulnerable to our attack in total. We estimated the number of potential victims of CPA, and it turned out that up to 6.5 M users per month are susceptible to our attack. Based on our findings, we discuss the root cause of the vulnerabilities and practical mitigations of our attack.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
