Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites

Abstract: Intermediary web services such as web proxies, web translators, and web archives have become pervasive as a means to enhance the openness of the web. These services aim to remove the intrinsic obstacles to web access; i.e., access blocking, language barriers, and missing web pages. In this study, we refer to these services as web rehosting services and make the first exploration of their security flaws. The web rehosting services use a single domain name to rehost several websites that have distinct domain nam… Show more

“…Papadopoulos et al [39] explored their use for malicious client-side computations like cryptomining, while Franken et al [23] briefly explored SWs in the context of cookie-carrying third-party requests and found that SW-initiated requests are often not blocked by privacy extensions. Watanabe et al [55] proposed a persistent man-in-the-middle attack that exploits SWs. In this attack, malicious websites can register a SW in the scope of a rehosting website.…”

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

“…Papadopoulos et al [39] explored their use for malicious client-side computations like cryptomining, while Franken et al [23] briefly explored SWs in the context of cookie-carrying third-party requests and found that SW-initiated requests are often not blocked by privacy extensions. Watanabe et al [55] proposed a persistent man-in-the-middle attack that exploits SWs. In this attack, malicious websites can register a SW in the scope of a rehosting website.…”

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

“…We notice that while the service worker gives better experience for users, it also gives attackers a new attack surface and additional privileges. For example, web attacks used to happen when a victim opens a malicious or compromised web page, but now service workers can execute malicious payload off-screen and enable several novel attacks [21,26]. By simply visiting a website, users are exposed to potential risks of a service worker.…”

“…Nevertheless, Papadopoulos et al assume that the target website and the service worker are already malicious or compromised but does not discuss a way to compromise a service worker. Watanabe et al discuss how an attacker can register a malicious service worker for a re-hosted website to compromise other re-hosted websites of the same service provider [26]. We look at the service worker in a different angle and assume the service worker is benign while the goal is to compromise it instead of registering a malicious service worker.…”

Security Study of Service Worker Cross-Site Scripting.

“…One popular format, used for example in web applications, is the JSON format that is possible to implement in the converter software. For interesting papers discussing web services see, e.g., [32][33][34]. From the network point of view, the converter becomes a terminal device-an endnode, which on the one hand realizes the data exchange with the meter in client/server mode, and on the other hand is a source of data periodically sent in "push" mode via gateway to the application dealing with measurement data acquisition.…”

“…One popular format, used for example in web applications, is the JSON format that is possible to implement in the converter software. For interesting papers discussing web services see, e.g., [32][33][34].…”

LPWAN Networks for Energy Meters Reading and Monitoring Power Supply Network in Intelligent Buildings