Author ORCiD

0000-0001-6452-5576

College

College of Sciences

Department

Computer Science

Graduate Level

Doctoral

Graduate Program/Concentration

Computer Science

Presentation Type

No Preference

Abstract

Progressive Web Applications (PWAs) are gaining popularity due to their rich features. Service Workers (SWs), one of its integral components, make this possible by providing users with offline functionality, improved performance, and effective caching techniques. SWs act as proxies positioned between the client browser and the web server, capable of intercepting requests and responses. Recent research has revealed that, despite being designed with security in mind, there are ways to circumvent these security precautions and launch various attacks.

Sensitive functions in JavaScript are functions that can introduce security vulnerabilities if not properly coded or validated. These functions can manipulate the Document Object Model (DOM) or interact with user input, leading to potential attacks such as Cross-Site Scripting (XSS), code injections, and data leaks if not handled correctly. As SWs are JavaScript files, attackers can exploit sensitive functions in SWs to launch attacks.

Our work is two-fold. Firstly, we conduct an in-depth analysis of sensitive functions in the wild, exploring how they can be misused. Secondly, we investigate how malicious parties can misuse these functions in SWs to mount attacks. Specifically, we examine Cross-Site Request Forgery (CSRF) attacks, where a benign user is forced to execute unintended actions on a website they are authenticated. With the goal of obtaining sensitive information from a user who browses a PWA, we aim to demonstrate the practical workings of a CSRF attack on PWAs, detect websites in the wild that are vulnerable to this type of attack, and propose mitigation strategies to both the common user and website developer to defend against it.

In addition to sensitive functions, we dissect the general structure of SWs, gaining insights into malpractices employed by designers that introduce exploitable loopholes.

To enhance user awareness and security, we developed a Chrome extension that notifies users about the registration status of SWs. Upon detecting a registered SW, our extension retrieves the associated JavaScript file and alerts the user. Additionally, it provides a concise two-minute tutorial to familiarize users with SW concepts. The extension also addresses existing attacks like History hijacking, XSS, and potential new threats such as CSRF. To achieve this, an integrated scanning tool analyzes registered SWs for vulnerabilities and presents findings to the user. Furthermore, the extension offers in-app options for users to mitigate these risks, ensuring a safer browsing experience on their websites.

Keywords

Service worker, Sensitive function, CSRF, PWA

Share

COinS
 

Bridging the Gap: Understanding and Mitigating CSRF Threats in Service Worker Environments

Progressive Web Applications (PWAs) are gaining popularity due to their rich features. Service Workers (SWs), one of its integral components, make this possible by providing users with offline functionality, improved performance, and effective caching techniques. SWs act as proxies positioned between the client browser and the web server, capable of intercepting requests and responses. Recent research has revealed that, despite being designed with security in mind, there are ways to circumvent these security precautions and launch various attacks.

Sensitive functions in JavaScript are functions that can introduce security vulnerabilities if not properly coded or validated. These functions can manipulate the Document Object Model (DOM) or interact with user input, leading to potential attacks such as Cross-Site Scripting (XSS), code injections, and data leaks if not handled correctly. As SWs are JavaScript files, attackers can exploit sensitive functions in SWs to launch attacks.

Our work is two-fold. Firstly, we conduct an in-depth analysis of sensitive functions in the wild, exploring how they can be misused. Secondly, we investigate how malicious parties can misuse these functions in SWs to mount attacks. Specifically, we examine Cross-Site Request Forgery (CSRF) attacks, where a benign user is forced to execute unintended actions on a website they are authenticated. With the goal of obtaining sensitive information from a user who browses a PWA, we aim to demonstrate the practical workings of a CSRF attack on PWAs, detect websites in the wild that are vulnerable to this type of attack, and propose mitigation strategies to both the common user and website developer to defend against it.

In addition to sensitive functions, we dissect the general structure of SWs, gaining insights into malpractices employed by designers that introduce exploitable loopholes.

To enhance user awareness and security, we developed a Chrome extension that notifies users about the registration status of SWs. Upon detecting a registered SW, our extension retrieves the associated JavaScript file and alerts the user. Additionally, it provides a concise two-minute tutorial to familiarize users with SW concepts. The extension also addresses existing attacks like History hijacking, XSS, and potential new threats such as CSRF. To achieve this, an integrated scanning tool analyzes registered SWs for vulnerabilities and presents findings to the user. Furthermore, the extension offers in-app options for users to mitigate these risks, ensuring a safer browsing experience on their websites.