Visible to the public The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches

TitleThe Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches
Publication TypeConference Paper
Year of Publication2021
AuthorsSquarcina, Marco, Calzavara, Stefano, Maffei, Matteo
Conference Name2021 IEEE Security and Privacy Workshops (SPW)
Keywordscache, compositionality, Conferences, Human Behavior, Measurement, Metrics, privacy, Programming, pubcrawl, Registers, resilience, Resiliency, security, Service Workers, user experience, Vulnerability, web attack, Web Browser Security, Web pages, web protection, web security
AbstractService workers boost the user experience of modern web applications by taking advantage of the Cache API to improve responsiveness and support offline usage. In this paper, we present the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications. In particular, we show how a traditional XSS attack can abuse the Cache API to escalate into a personin-the-middle attack against cached content, thus compromising its confidentiality and integrity. Remarkably, this attack enables new threats which are beyond the scope of traditional XSS. After defining the attack, we study its prevalence in the wild, finding that the large majority of the sites which register service workers using the Cache API are vulnerable as long as a single webpage in the same origin of the service worker is affected by an XSS. Finally, we propose a browser-side countermeasure against this attack, and we analyze its effectiveness and practicality in terms of security benefits and backward compatibility with existing web applications.
DOI10.1109/SPW53761.2021.00062
Citation Keysquarcina_remote_2021