Watching this talk by Amy Burnett I realized that I never really considered the abuse potential of service workers. I’ve seen plenty of JavaScript files reflecting query parameters, typically JSONP endpoints. And I considered these non-exploitable.

· · Web · 2 · 0 · 0

But any JS file that you can smuggle an importScripts call into is a potential service worker. You still need reflected XSS to register it, but severity increases drastically. A service worker can mess with any URL in its directory, and it persists even after a browser restart.

@WPalant Yeah.... I looked at about:debugging#/runtime/this-firefox and there are 71 active service workers going back years.... don't we need a permissions UI for that?

@hopeless Technically speaking, it’s merely some website doing stuff in the background. And the browser will stop service workers when they aren’t needed. So user-facing UI isn’t really needed. It’s more of a website security topic.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.