You’re a bad guy and you just hacked a website. Normally you leak the database and leave. The owner fixes everything next day and removes your backdoor. With Middlekit techniques you can poison browser cache of every visitor and get more money and intelligence in a long run.
They call it “Advanced Persistent Threat” in the cyber snake oil industry. It silently sits in the victim’s user agent and waits for your commands. It can alter responses, proxy requests through your server etc - it is permanent session hijacking and XSS.
I am not going to give you specific software, but will explain two approaches: appcache and serviceworker.
It works in all browsers. You just need to add manifest itself in the CACHE MANIFEST section and the browser will always return poisoned documents from the cache.
- You need to collect as many URLs as possible - you need to list them explicitly to make the user agent cache it. site:victim.com in google is a good start
Don’t forget user specific URLs such as “/settings” or “/homakov/direct_messages”. You can generate the manifest on the fly.
Insert your middlekit in front of the hacked production server. For demonstration you can run following script locally and add
127.0.0.1 sakurity.comto your
/etc/hosts. It also works in MitM attacks over wifi against https:// websites.
Get as many users as possible to visit the hacked server right now - try a newsletter.
This one works only in Chrome on desktop and only over https: websites, but is actually much more dangerous. It creates a worker which alters responses for all requests and there’s no need to explicitly cache every page - you can cover entire domain with one worker.
To install a ServiceWorker the browser wants to see it as a response with
In other words XSS + JSONP + ServiceWorker = Permanent XSS on every page
Appcache is too late to fix, and it’s going to be perfect cache poisoning tool for a long while for both hacked websites and insecure connections (yet another reason to avoid https:// when you’re on someone’s wifi).
Service-Worker:true or explicit