Hunting HTML 5 PostMessage Vulnerabilities

Download Paper: Hunting postMessage Vulnerabilities

Download Sample Code: sample code

AppCheck partnered with Sec-1 Ltd (www.sec-1.com) to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS.

One of the key findings from the research shows that vulnerabilities introduced through an insecure postMessage implementation are frequently missed by security scanners and consultants performing manual review.

 

Summary of findings:

 

  • Cross-Origin communication via postMessage introduces a tainted data source that is difficult to identify using currently available tools.
  • Cross-Site Scripting and Information disclosure vulnerabilities as a result of insecure postMessage code were identified across many Fortune 500 companies and websites listed within the Alexa Top 10. Three case study reports (Adobe, Apple iCloud and YouTube) are included within this paper.
  • Discussion with members of the development and information security communities show that the vulnerabilities demonstrated within this document are poorly understood. In many cases postMessage events were not readily identified as a potential source for malicious tainted data.
  • In many cases vulnerable code is introduced via third party libraries and therefore may undermine the security of an otherwise secure application.

This paper aims to provide an overview of the most common postMessage security flaws and introduce a methodology and toolset for quickly identifying vulnerabilities during the course of a Black-box security assessment.

 

Proof of Concept Example: iCloud.com

 

The following video demonstrates a postMessage flaw identified within the Apple iCloud service. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

 

 

Proof of Concept: YouTube.com

 

The following video demonstrates a postMessage flaw identified within YouTube.com. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

 

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial
POPULAR
RECENT ARTICLES
RELATED
Services
Company
Resources
Keep in touch

AppCheck Ltd. is a company registered in England and Wales with company number 06888174

Start your free trial

Simply complete the form and we’ll send you all you need to activate AppCheck and undertake your FREE scan.
Your details
IP Addresses
URLs

Get in touch

Please enable JavaScript in your browser to complete this form.
Name