A dual-purpose Chrome Extension:
- For everyday users: proactively disable Service Workers to improve browser performance, reduce tracking, and gain predictability.
- For Red Team operators and penetration testers: a tactical tool to neutralize client-side Service Worker defenses and expose hidden application logic.
Service Workers enable offline caching, push notifications, background sync, and request interception. While useful, they can lead to:
- Stale Content: Aggressive caching hides fresh content.
- Unwanted Notifications: Persistent prompts and background messages.
- Performance Overhead: Extra CPU and battery usage.
- Privacy Concerns: Silent background requests without user control.
- Security Barriers: Obfuscation of backend APIs and enforced client-side validation.
For power users, developers, and security professionals, controlling this layer is essential.
4ndr0serviceguard enforces a default-deny Service Worker policy, blocking all registrations globally unless explicitly allowed.
- Everyday users get faster, cleaner, and more private browsing.
- Operators can surgically dismantle Service Worker protections, revealing hidden endpoints, bypassing client-side validation, and triggering legacy fallbacks.
This model delivers predictability, privacy, and expanded attack surface visibility.
- 🛡️ Nullifier Protocol: Global kill switch for Service Workers.
- ✍️ Intelligent Whitelist: Add trusted domains and their subdomains (e.g.,
google.comcoversdocs.google.com). - 🤫 Stealth API Nullification: Returns fake registration promises to avoid breakage or detection.
- ⚡ Instant Execution: Injected at
document_startbefore page scripts. - ✅ Live Validation: Input checked in real time via popup.
- ✨ Manifest V3: Modern, asynchronous, and secure codebase.
Additional operator-level traits:
- Surgical Target Enablement: Per-domain SW restoration.
- Zero-Day Race Condition Dominance: Guaranteed execution before target scripts.
- Customizable Source: No build step; edit scripts directly.
pacifier.js injects into the MAIN world at document_start. It overwrites navigator.serviceWorker methods with inert stubs. All registration attempts resolve successfully but no Service Worker is active.
background.js checks tab URLs against the whitelist. For trusted domains, it reinjects original API methods with chrome.scripting.executeScript, restoring Service Worker functionality.
- Target:
secure-bank.comuses SW to add tokens or encrypt payloads. - Action: Do not whitelist. SW is nullified.
- Result: Intercept proxy sees raw API traffic. Test injection, tampering, bypasses.
2. De-cloaking Hidden Endpoints
- Target:
content-delivery.netproxies all API calls through SW. - Action: Disable SW.
- Result: App falls back to direct requests, exposing real backend URLs.
- Target:
shiny-app.iowith complex PWA logic. - Action: Nullify SW.
- Result: Legacy app path loads. Older vulnerabilities may be exposed.
Not on Chrome Web Store. Load manually:
git clone https://github.com/4ndr0666/4ndr0serviceguard.git- Go to
chrome://extensions. - Enable Developer mode.
- Click Load unpacked and select the repo folder.
- Extension icon appears in toolbar.
Click the icon to open control popup:
- Nullifier Protocol Switch: Master on/off toggle.
- Whitelist Textarea: Add domains (one per line). Subdomains included automatically. Reload pages after edits.
- Default-deny applied immediately when extension is loaded.
- Use whitelist to scope Service Worker restoration during active engagements.
- Reload the target tab after whitelist changes.
- MAIN World Injection: Same privilege as site scripts.
- API Monkey-Patching: Save and overwrite original
navigator.serviceWorkermethods. - Deceptive Resolution: Return fake
ServiceWorkerRegistrationobjects to avoid detection. - Surgical Restoration: Reinstate originals on whitelisted domains.
- No build process.
- Modify JS source directly to fit engagement needs.
- Reload via
chrome://extensionsafter editing.
PRs and issues are welcome. Bug fixes, new features, and operational improvements encouraged.
Licensed under the MIT License. See LICENSE.