Annual Computer Security Applications Conference (ACSAC) 2020

Full Program »

Security Study of Service Worker Cross-Site Scripting

Nowadays, modern websites are utilizing service workers to provide users with app-like functionalities such as offline mode and push notifications. To handle such features, the service worker is equipped with special privileges including HTTP traffic manipulation. Thus, it is designed with security as a priority. However, we find that many websites introduce a questionable practice that can jeopardize the security of a service worker.

In this work, we demonstrate how this practice can result in a cross-site scripting (XSS) attack inside a service worker, allowing an attacker to obtain and leverage service worker's privileges. Due to the uniqueness of these privileges, such attacks can lead to more severe consequences compared to a typical XSS attack. We term this type of vulnerability as Service Worker based Cross-Site Scripting (SW-XSS). To assess the real-world security impact, we develop a tool called SW-Scanner and use it to analyze top websites in the wild. Our findings reveal a worrisome trend. In total, we find 40 websites vulnerable to this attack including several popular and high ranking websites. Finally, we discuss potential defense solutions to mitigate the SW-XSS vulnerability.

Phakpoom Chinprutthiwong
Texas A&M University

Raj Vardhan
Texas A&M University

GuangLiang Yang
Texas A&M University

Guofei Gu
Texas A&M University

Paper (ACM DL)




Powered by OpenConf®
Copyright©2002-2021 Zakon Group LLC