At Your Service - Abusing the Service Workers Web API

Presented at BSidesLV 2019, Aug. 7, 2019, 5 p.m. (55 minutes).

The Service Workers API is a modern web API that grants web developers advanced capabilities, such as acting as a proxy server, intercepting network requests and improving offline experience as a background service.

In Akamai, we have unique visibility into the world wide web traffic. We have witnessed a dramatic increase in usage of legitimate service workers in our customers web applications in the past year. We believe this trend also applies to malicious service workers as well.

In this talk we will cover new and emerging web based attacks that (ab)use the Service Worker web API. We will cover and demonstrate the attack flow where a potential attacker can amplify and persist his foothold on the client and exfiltrate sensitive information by abusing the service worker API.

Along showcasing those kind of attacks, we will also discuss and explain how to find those attacks and methods to mitigate and prevent them.


Presenters:

  • Daniel Abeles
    Daniel Abeles is an experienced security researcher, with years of experience in web application attacks. Daniel currently serves as a Senior Security Researcher working on the Akamai Threat Research Group supporting Akamai's cloud security solutions. Daniel has a strong security background working for the Air Force and consultation companies on various projects. Outside of Akamai, he enjoys breaking stuff, learning new things, developing new tools and contributing to open source projects.
  • Shay Shavit
    Shay is a Senior Security Researcher on Akamai's Threat Research Team where he focuses on bot detection and web application attacks research for Akamai's cloud security solutions all together. In addition to working with Akamai, Shay is active in many bug bounty programs and is part of the Bugcrowd Researcher Council.

Links:

Similar Presentations: