Download Paper: Hunting postMessage Vulnerabilities
Download Sample Code: sample code
Sec-1 Ltd partnered with AppCheck.com to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS.
One of the key findings from the research shows that vulnerabilities introduced through an insecure postMessage implementation are frequently missed by security scanners and consultants performing manual review.
Summary of findings:
- Cross-Origin communication via postMessage introduces a tainted data source that is difficult to identify using currently available tools.
- Cross-Site Scripting and Information disclosure vulnerabilities as a result of insecure postMessage code were identified across many Fortune 500 companies and websites listed within the Alexa Top 10. Three case study reports (Adobe, Apple iCloud and YouTube) are included within this paper.
- Discussion with members of the development and information security communities show that the vulnerabilities demonstrated within this document are poorly understood. In many cases postMessage events were not readily identified as a potential source for malicious tainted data.
- In many cases vulnerable code is introduced via third party libraries and therefore may undermine the security of an otherwise secure application.
This paper aims to provide an overview of the most common postMessage security flaws and introduce a methodology and toolset for quickly identifying vulnerabilities during the course of a Black-box security assessment.
Proof of Concept Example: iCloud.com
The following video demonstrates a postMessage flaw identified within the Apple iCloud service. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper
Proof of Concept: YouTube.com
The following video demonstrates a postMessage flaw identified within YouTube.com. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper