Ghosts in the Browser: Backdooring with service workers

Presented at Kiwicon 2038AD: The Dystopic Future is Now (2018), Nov. 16, 2018, 3 p.m. (30 minutes)

Service workers are all the rage for progressive web apps nowadays. This talk will take a look at Service Workers from a different perspective. We'll talk about ways to abuse them by exploiting XSS issues. We'll cover how to create a pseudo browser backdoor with service workers as well as some of its limitations. The talk will include demos as demonstration of the attacks, and will introduce various defence mechanisms against them.

Presenters:

• Emmanuel Law
  Emmanuel Law (@libnex) used to be a consultant in Wellington. He's now a security engineer in the Bay Area.
• Claudio Contin
  Claudio is a security consultant with ZX Security in Wellington. Before working in security, he spent several years developing web applications. He made small contributions to BEeF framework (http://beefproject.com/) and Gophish (https://getgophish.com/) open source projects.

Similar Presentations:

• BSidesLV 2019 / At Your Service - Abusing the Service Workers Web API