Aggressive Offline Caching
Aggressive Offline Caching
Overview of the Vulnerability
Browsers implement features such as service workers to offer offline features for an application. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these offline workers can cause issues like high CPU usage or overly aggressive offline caching, as seen in this instance. Depending on the implementation of the service worker, aggressive offline caching can act as a vector for Denial of Service (DoS) to regular application users by consuming compute to overly write to the offline cache.
Business Impact
This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ access to the application and its functions.
Steps to Reproduce
Use a browser to navigate to: {{URL}}
Use {{software}} to profile when service worker is active and compare to when the server worker is not active
Proof of Concept (PoC)
The screenshots below demonstrate the aggressive offline caching:
{{screenshot}}
Recommendation(s)
It is recommended to adjust the levels of offline caching for the application. Service worker use and caching should be configured based upon user metrics of the application and current best practices. Offline caching needs to strike a balance between caching enough for performance and caching too much information.
Last updated