New tool easily backdoors vulnerable websites

Red teamers looking for creative ways to put ‘pseudo’ backdoors into browsers should turn their attention to service workers, following the release of a new exploitation kit at Black Hat USA.

The tool, appropriately called ‘Shadow Workers’, manipulates the various features within service workers in order to effectively control a victim’s browser.

Service Workers are browser scripts that run in the background and provide added functionality to web applications and pages without the need of user interaction.

The technology is largely used in order to facilitate offline performance, such as caching data from your email or favorite news source, and pushing out notifications.

“Service workers themselves do not pose any security risks,” said researcher Claudio Contin, who released the exploitation kit alongside Emmanuel Law on today’s Black Hat Arsenal track.

“It becomes a security risk when an attacker is able to register a malicious service worker though the domain,” he said.

An exploit tool is necessary since service workers normally come with an impressive amount of security protections, including adhering to the same origin policy so that legitimate service workers cannot be installed on different domains. Service workers restricted to run only on sites using https, as well.

“To install a service worker on a vulnerable website you kind of need the ability to run JavaScript, or rather the ability to have an XSS payload running,” Law explained.

“The second point is the ability to upload a JavaScript file on the web server, or at least make it seem like the JavaScript file is being served from the web server.”

Contin and Law’s tool assists with producing malicious service workers in various ways, depending on which feature of the script is being abused.

“One of the capabilities is to try to create a service worker that acts as if it is like a man-in-the-middle (MITM) proxy within a victim’s browser,” Law said.

“So, as if it’s like a backdoor in the browser itself, and we can start to use this service worker and tunnel our traffic through and browse as if we were authenticated as the victim.”

Extending a service worker’s lifespan, which typically runs for three minutes, is another way to manipulate the script’s functionality and give an attacker access to a victim’s browser.

“By accepting notifications from a malicious service worker an attacker would actually be able to trigger the service worker on demand,” Contin said.

“That’s done by push notifications, if the attacker triggers a push notification, the service worker stays alive for a couple of minutes each push.”

Contin and Law were able to extend a service worker’s lifespan to almost 30 minutes, they said.

“Essentially the tool that we are releasing provides a framework, or lays down the foundation of extending service worker lifespan, providing push notification capability to wake it up on demand for other people can build upon,” Law said.

Contin and Law have also released a companion tool that allows users to control the installation of service workers on their device. The extension is available for both Chrome and Firefox.

Law added: “The space around service workers are really exciting because it’s always being developed. There is a lot of research to be done around that.”


RELATED JSShell takes cross-site scripting to new highs