This is the shortest delay between blog posts I've had in a while, but I figured that since my last post had some confusing stuff, it might make sense to add a short demo. The demo application has three things that enable the attack:
- An open redirect. Available at /cgi-bin/redirect?continue=.
- A Cache Service Worker. Available at /sw.js.
- A page that embeds images via <img crossorigin="anonymous" src="" />.
- A CORS enabled attack page. Available at /cgi-bin/attack.
- The service worker must be installed.
- A request to our attack page must be cached with mode=cors.
When you click submit above the following things will happen:
- A service worker will be installed for the whole origin.
- An image tag pointing to the open redirect will be created.
- The service worker will cache the request with the CORS response of the attacker.
If the demo doesn't work for you, that probably means you navigated to the attack page before caching the CORS response. If that's the case, to clear the cache.
Note you need Chrome 43 or later for this to work (or a nightly version of Firefox with the flags flipped). Hope this clarifies things a bit!