Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HTML5 Messaging (Post Message)

399 views

Published on

Learn the basic concept of HTTP Post Message and Attack Scenario by Parth Jankharia.

Published in: Software
  • Be the first to comment

  • Be the first to like this

HTML5 Messaging (Post Message)

  1. 1. HTML5 Messaging (postMessage) By - Parth Jhankharia Date - 14/5/2020
  2. 2. ~$whoami ● Security Analyst ● Twitter @Aee_Parth
  3. 3. postMessage-Overview ● Working ● Exploitation ● Remediation ● References
  4. 4. postMessage Supported Browsers From:- https://caniuse.com/#search=postMessage
  5. 5. postMessage? ● Controlled mechanism to circumvent SOP. ● Dispatches “Message Event”. ● Type (Always “message”). ● Data (User Supplied). ● Origin (Origin of the window calling). ● Source (window Calling).
  6. 6. Same Origin Policy ● Port ● Protocol ● Host
  7. 7. Same Origin Policy https://net-square.com/ https://net-square.com/whateva/
  8. 8. Same Origin Policy https://net-square.com/ https://subdomain.netsquare.com/
  9. 9. Same Origin Policy https://net-square.com/ https://net-square.com:1337/
  10. 10. Same Origin Policy https://net-square.com/ http://net-square.com/
  11. 11. postMessage? ● Syntax window.postMessage(message, targetOrigin [, ports]) ● Example window.postMessage(“msg-here”, “*”)
  12. 12. postMessage Working Via:- https://medium.com/javascript-in-plain-english/javascript-and-window-postmessage-a60c8f6adea9
  13. 13. postMessage Demo
  14. 14. postMessage Attacks ● XSS ● Information leakage.
  15. 15. postMessage Xss ● No origin validation on the target. ● Attacker crafts a malicious page having an xss payload ● Sending the payload from attacker’s domain. ● XSS’ed.
  16. 16. postMessage Xss Via:- https://github.com/shurmajee/postmessage-vulnerability-demo
  17. 17. postMessage Xss Demo
  18. 18. So How Do We Fix It?
  19. 19. So How Do We Fix It?
  20. 20. So How Do We Fix It? ● You have to check the origin.
  21. 21. So How Do We Fix It? ● You HAVE to check the origin.
  22. 22. So How Do We Fix It? ● You HAVE to check the origin. ● CORRECTLY
  23. 23. postMessage Origin Via:- https://github.com/shurmajee/postmessage-vulnerability-demo
  24. 24. postMessage Origin Demo
  25. 25. Incorrect Origin Checks
  26. 26. Reference ● https://www.slideshare.net/LukasKlein1/attacking-and-defending-html5-p ostmessage-in-mobile-websites ● https://www.slideshare.net/mitchbox/ltiframe-communication-in-javascript ● https://github.com/shurmajee/postmessage-vulnerability-demo ● https://medium.com/javascript-in-plain-english/javascript-and-window-po stmessage-a60c8f6adea9 ● https://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf
  27. 27. Resources ● https://www.slideshare.net/danwrong/building-anywhere-for-txjs ● https://www.slideshare.net/tomasperezv/sandboxed-platform ● https://public-firing-range.appspot.com/dom/index.html ● https://www.slideshare.net/peterlubbers/html5-realtime-and-connectivity ● https://www.youtube.com/watch?v=FTeE3OrTNoA&t=862s
  28. 28. More Resources
  29. 29. Questions/Thoughts/Feedback?
  30. 30. Thank You!

×