X CLOSE

Enter your email below to sign up for latest updates from Appcheck NG.

CLOSE

Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

Hunting HTML 5 PostMessage Vulnerabilities


Download Paper: Hunting postMessage Vulnerabilities

Download Sample Code: sample code

AppCheck partnered with Sec-1 Ltd (http://www.sec-1.com) to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS.

One of the key findings from the research shows that vulnerabilities introduced through an insecure postMessage implementation are frequently missed by security scanners and consultants performing manual review.

Summary of findings:

This paper aims to provide an overview of the most common postMessage security flaws and introduce a methodology and toolset for quickly identifying vulnerabilities during the course of a Black-box security assessment.

Proof of Concept Example: iCloud.com

The following video demonstrates a postMessage flaw identified within the Apple iCloud service. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

Proof of Concept: YouTube.com

The following video demonstrates a postMessage flaw identified within YouTube.com. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper