HTML5 Messaging (Post Message)
1 like882 views
This document discusses HTML5 postMessage and cross-origin messaging. It begins with an overview of postMessage, how it works, and how it can be exploited in cross-site scripting attacks. It then explains how the same-origin policy impacts postMessage and provides examples of same-origin violations. The document emphasizes that to prevent XSS, the postMessage origin must be correctly checked. It includes code demos and references to illustrate postMessage workings, attacks, and proper origin validation.
![postMessage?
Syntax
window.postMessage(message, targetOrigin [, ports])
Example
window.postMessage(msg-here, *)](https://image.slidesharecdn.com/html5messagingpostmessage-200514095855/85/HTML5-Messaging-Post-Message-11-320.jpg)
HTML5 Messaging (Post Message)
- 1. HTML5 Messaging (postMessage) By - Parth Jhankharia Date - 14/5/2020
- 2. ~$whoami Security Analyst Twitter @Aee_Parth
- 3. postMessage-Overview Working Exploitation Remediation References
- 4. postMessage Supported Browsers From:- https://caniuse.com/#search=postMessage
- 5. postMessage? Controlled mechanism to circumvent SOP. Dispatches Message Event. Type (Always message). Data (User Supplied). Origin (Origin of the window calling). Source (window Calling).
- 6. Same Origin Policy Port Protocol Host
- 11. postMessage? Syntax window.postMessage(message, targetOrigin [, ports]) Example window.postMessage(msg-here, *)
- 13. postMessage Demo
- 14. postMessage Attacks XSS Information leakage.
- 15. postMessage Xss No origin validation on the target. Attacker crafts a malicious page having an xss payload Sending the payload from attackers domain. XSSed.
- 18. So How Do We Fix It?
- 19. So How Do We Fix It?
- 20. So How Do We Fix It? You have to check the origin.
- 21. So How Do We Fix It? You HAVE to check the origin.
- 22. So How Do We Fix It? You HAVE to check the origin. CORRECTLY
- 26. Reference /LukasKlein1/attacking-and-defending-html5-p ostmessage-in-mobile-websites /mitchbox/ltiframe-communication-in-javascript https://github.com/shurmajee/postmessage-vulnerability-demo https://medium.com/javascript-in-plain-english/javascript-and-window-po stmessage-a60c8f6adea9 https://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
- 27. Resources /danwrong/building-anywhere-for-txjs /tomasperezv/sandboxed-platform https://public-firing-range.appspot.com/dom/index.html /peterlubbers/html5-realtime-and-connectivity https://www.youtube.com/watch?v=FTeE3OrTNoA&t=862s
- 28. More Resources
- 30. Thank You!