API tools faq
paste
Advertisement
xosski

Thorium Shielding

xosski
Mar 28th, 2025
21
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.63 KB | None | 0 0
raw download clone embed print report
  1. 'use strict';
  2.  
  3. const ATTACKER_LOG = [];
  4.  
  5. self.addEventListener('install', (event) => {
  6. self.skipWaiting();
  7. });
  8.  
  9. self.addEventListener('activate', (event) => {
  10. event.waitUntil(self.clients.claim());
  11. });
  12.  
  13. self.addEventListener('fetch', (event) => {
  14. const { request } = event;
  15. const url = new URL(request.url);
  16.  
  17. // Trap: Fake sensitive endpoint
  18. if (url.pathname.includes('/api/keys')) {
  19. event.respondWith(fakeSensitiveDataResponse());
  20. logAttacker(request, 'Attempted to access API keys');
  21. return;
  22. }
  23.  
  24. // Trap: Fake authentication endpoint
  25. if (url.pathname.includes('/auth/login')) {
  26. event.respondWith(fakeLoginResponse(request));
  27. logAttacker(request, 'Attempted fake login');
  28. return;
  29. }
  30.  
  31. // Trap: Inject deceptive values for known attack patterns
  32. event.respondWith(
  33. fetch(request).then((response) => injectDeception(request, response))
  34. );
  35. });
  36.  
  37. function fakeSensitiveDataResponse() {
  38. const fakeKeys = JSON.stringify({
  39. apiKey: "FAKE-KEY-123456789",
  40. secret: "D3c3pt10nT0k3n"
  41. });
  42. return new Response(fakeKeys, {
  43. status: 200,
  44. headers: { 'Content-Type': 'application/json' }
  45. });
  46. }
  47.  
  48. function fakeLoginResponse(request) {
  49. return request.json().then((body) => {
  50. logAttacker(request, `Login attempt with username: ${body.username}`);
  51. return new Response(JSON.stringify({
  52. status: "error",
  53. message: "Invalid credentials"
  54. }), {
  55. status: 401,
  56. headers: { 'Content-Type': 'application/json' }
  57. });
  58. });
  59. }
  60.  
  61. function injectDeception(request, response) {
  62. if (!response.ok || !response.headers.get('Content-Type')?.includes('text/html')) {
  63. return response;
  64. }
  65.  
  66. return response.text().then((text) => {
  67. let manipulatedText = text;
  68.  
  69. if (text.includes('window.apiKey')) {
  70. manipulatedText = text.replace(
  71. /window\.apiKey\s*=\s*['"](.*?)['"]/g,
  72. "window.apiKey = 'FAKE-API-XYZ';"
  73. );
  74. logAttacker(request, 'Injected deceptive API key');
  75. }
  76.  
  77. return new Response(manipulatedText, {
  78. status: response.status,
  79. headers: response.headers
  80. });
  81. });
  82. }
  83.  
  84. function logAttacker(request, action) {
  85. const ip = request.headers.get('x-forwarded-for') || 'unknown';
  86. ATTACKER_LOG.push({
  87. timestamp: new Date().toISOString(),
  88. ip,
  89. action,
  90. url: request.url
  91. });
  92. console.warn(`[SECURITY TRAP] ${action} from IP: ${ip}`);
  93. }
  94.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!