Shadow Workers: XSS & SW exploitation framework

Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW). The project is hosted here: https://github.com/shadow-workers/shadow-workers A successful exploitation allows you to browse on the targeted application as the victim(s), as long as the SW (agent) is active. A victim does not have to have a browser tab open in the application for the agent to be active.

Currently, the tool supports the following:

Browsers support:

Chrome: full support

Firefox: Push & Fetch

Edge: Push & Fetch

Opera: Background Sync & Fetch

To setup the C2 and proxy:

Register Domain

Register a domain and point it to an Internet facing host (C2).

Install dependencies on C2 host

Python 3

C2 host

$ git clone https://github.com/shadow-workers/shadow-workers.git
$ cd shadow-workers
$ pip install -r requirements.txt

Clone the repository

On the C2 host, go the folder where you want to store your project, clone the project and install the dependencies:

Configure HTTPS

On the C2 host, generate SSL/TLS certificate using letsencrypt (or anything you prefer) and add copy the certificate (cert.pem) and key (key.pem) to the project folder:

/path/to/shadow-workers

$ cp fullchain.pem /path/to/shadow-workers/cert.pem
$ cp secretkey.pem /path/to/shadow-workers/key.pem

C2 host

$ SW_HTTPS=true start.sh
 Credentials for dashboard
 USERNAME: workers
 PASSOWRD: PASSWORD

Start C2

Map C2 proxy port to localhost

On your local machine:

localhost

$ ssh -L 8888:localhost:8888 C2_HOST

Browse to C2 dashboard

In your browser, choose to use the following socks proxy in the browser preferences: type: socks, address: 127.0.0.1, port: 8888. Open a browser to the address: https://DOMAIN_REGISTERED/dashboard/ To authenticate, provide "workers" as username and the password from the output generated from the start.sh script.

Generate SW

Generate and copy the malicious Service Worker (SW) to be uploaded on the target application. This can be retrieved from the dashboard, or under https://C2_HOST/modules/sw.js Upload it against the vulnerable application.

Trigger the XSS to register the SW

Send the malicious XSS to the application and trick the users to browse to it. The XSS payload can be generated on the C2 host at: https://C2_HOST/modules/xss . Note that you can specify a "path" parameter to point to the exact location of the uploaded SW on the compromised application (ex: ?path=/uploads/1234). If you prefer, when exploiting the XSS, you can just load the JS from that location.

Dashboard

When the victims visit the malicious XSS and the SWs are registered on their browsers, the agents (SW) will become available on the dashboard.

Proxy through agent

While a victim's agent (SW) is active, you can proxy through that agent and browse on the compromised application as the victim.

Execute modules

You can run post exploitation modules against the victim's agent (SW). For example, you can execute a localhost port scan.

Note that you can also write your own post exploitation scripts. Please refer to the official documentation for more information.

Push notifications

If the victim allowed the SW to received notifications, you can activate the agent on demand by sending a push notification.
On the dashboard. the option to deliver a push notification is only visible if the actual push registration has been received on the C2.

Note that a visual notification might appear on the victim's device, so use this caution.

DOM poisoning

The SW is capable of intercepting and poisoning requests made from within the scope. For more information around SW scope, please refer to https://developers.google.com/web/ilt/pwa/introduction-to-service-worker#registration_and_scope. For example, if the SW scope is "/uploads", the SW will be able to poison requests made from "/uploads". If the application has functionality that renders HTML pages under that path, the victims' agents will wake up everytime they browse to such pages under the scope. If no functionality exists under the scope, you can attempt to trick the victims to visit a non-existing page under that path; for example, by phishing. The web server will respond with the default 404 html page, and the SW will still be able to perform DOM poisoning on that and wake up the agent. Note that while the victim has a window open on the poisoned page, you can send arbitrary JS to it throught the console provided on the dashboard:

You can also write your own custom DOM module to be executed as soon as the malicious script is included in the poisoned response. The dom scripts location is: app/templates/dom_modules/.

Contribute

Clone to the project and submit pull requests

GitHub Project

https://github.com/shadow-workers/shadow-workers
 - Fork the project
 - Create your feature branch (git checkout -b my-new-feature)
 - Commit your changes (git commit -am 'Added some feature')
 - Push to the branch (git push origin my-new-feature)
 - Create new Pull Request