PostMessage Vulnerabilities
PostMessage Vulnerabilities
The PostMessage API is an alternative to JSONP, XHR with CORS headers requests that enable sending data between origins. To understand PostMessage you need to know cross-origin communication in modern browsers.
Modern web browsers employ an important security mechanism known as the Same Origin Policy (SOP) that acts as a security boundary between web pages loaded from different “origins”.
The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.
the following table gives examples of origin comparisons with the URL http://store.company.com/dURL
Outcome
Reason
http://store.company.com/dir2/other.html
Same Origin
Only the Path differs
http://store.company.com/dir/inner/another.html
Same Origin
Only the Path differs
https://store.company.com/page.html
Failure
Different protocol
http://store.company.com:81/dir/page.html
Failure
Different port
http://news.company.com/dir/page.html
Failure
Different hostir/page.html
URL
Outcome
Reason
http://store.company.com/dir2/other.html
Same Origin
Only the Path differs
http://store.company.com/dir/inner/another.html
Same Origin
Only the Path differs
https://store.company.com/page.html
Failure
Different protocol
http://store.company.com:81/dir/page.html
Failure
Different port
http://news.company.com/dir/page.html
Failure
Different host
PostMessage()
The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.
Syntax :
targetWindow.postMessage(message, targetOrigin, [transfer]);
Sending a Message :
targetWindow.postMessage("unstable was here", "*");
Receiving a message :
window.addEventListener("message", function(message){console.log(message.data)});
To send a message application calls "PostMessage" function with a message and target origin which in this case is a wildcard.
At the receiving end, a "message" event handler can be used.
Vulnerabilities
If PostMessage is not implemented correctly it can lead to Cross-site scripting vulnerabilities or in some cases information disclosure.
How to test?
XSS
Most of the time XSS arises when at receiving end there is no validation of an origin. So if you don't see the following origin validation code at the receiver end there might be a chance for XSS
window.addEventListener("message", (event)=>{
if (event.origin !== "http://safe.com")
return;
...
}
Also at the parent window, the target origin must be set to a wildcard to perform the XSS.
targetWindow.postMessage("xss", "*");
When there is no validation on the child window an attacker can host a different webpage with the XSS payload as per the functionality.
Detection
The way to detect PostMessage vulnerabilities is to read the javascript code. There are some tools that can help you to some extent. The easiest way is to use the developer console. You can find this under sources -> Global Listeners. The other tools like PMHook with TamperMonkey can be used.
Harrah's Cherokee Casino Hotel Map & Floor Plans - Mapyro
ReplyDeleteFind your way around the casino, 충청북도 출장샵 find where everything 구미 출장샵 is 문경 출장샵 located with these helpful 문경 출장마사지 guide to Harrah's Cherokee Casino Hotel in 창원 출장샵 Murphy.