Light

shadow-workers / shadow-workers Goto Github PK

Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)

Home Page: https://shadow-workers.github.io

License: MIT License

Python 5.18% JavaScript 90.74% CSS 3.34% HTML 0.63% Mako 0.06% Shell 0.05%

xss-exploitation service-worker c2 proxy penetration-testing-tools

shadow-workers's Introduction

Shadow Workers

Info

Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW). A successful exploitation allows you to browse on the targeted application as the victim(s), as long as the SW (agent) is active. A victim does not have to have a browser tab open in the application for the agent to be active.

How to use

Shadow Workers Site

TrustedSec Blog posts on the tool:

https://www.trustedsec.com/blog/persistence-through-service-workers-part-1-introduction-and-target-application-setup

https://trustedsec.com/blog/persistence-through-service-workers-part-2-c2-setup-and-use

Authors

License

This tool is released under the MIT License.

shadow-workers's People

Contributors

Stargazers

Watchers

Forkers

ashr byr0nchan bbhunter whjvenyl cs24 killvxk avineshwar orangeswim nickmavronick sagaroffsec freeide 5l1v3r1 sponkmonk ian7yang loca1gh0s7 akpotter tejaswiniu lancetw zha0 moderly hoodoer specopdiv solonoobs 3453-315h trickster0 munstar0s an4kein hartl3y94 chrisadams777 scramblr marcostolosa cehtej cyl4b3 red-infosec ykankaya powerpress chanpu9 randydom go-bi watson0x90 therealelyayo mr-dfx shehackedyou ronin-dojo

shadow-workers's Issues

Firefox: fetch poisoning generates new agentID

The SW dom poisoning by fetch event currently unregister and re-register the existing malicious Service Worker for the domain, in order to re-trigger the sync and wake it up.
In Chrome, when unregistering and re-registering, the previous agentID string that was saved in IDB does not get lost.
In Firefox, when trigger the re-registration, a new agentID is generated, rather than using the previous one stored in agentID.

How to use?

Do not quite understand the generation of sw and trigger by xss，
Can you write a presentation or tutorial that is easy to understand?

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.