Exploiting postMessage

With real world example:

DOM: — To understand it first we have to learn about DOM.

DOM is a programming API for HTML and XML documents which decides their structure and the way they are processed.

DOM XSS attack wherein the attack payload is executed because of modifying the DOM “environment” in the victim’s browser used by the original client-side script, so that the client-side code runs in an “unexpected” manner. That is, the page itself does not change, but the client-side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

It is an attack against client side that fetch data from GET strings or parameter and put it into the web page without escaping it.

This example has a welcome page, which displays the name of the users using the name parameter.

Usual scenario:

http://www.evil.site/welcome.html#name=Joe

Exploit scenario:

http://www.evil.site/welcome.html#name=Joe is a dashboard customized for Joe.

Here is how a DOM-based XSS attack can be performed for this web application:

· The attacker embeds a malicious script in the http://www.evil.com/welcome.html#name=<script>alert(document.cookie)</script>

· The victim’s browser receives this URL, sends an HTTP request to http://www.evil.com, and receives the static HTML page.

· The browser starts building the DOM of the page and populates the document.cookie property from the name parameter.

· The browser parses the HTML page, reaches the script, and runs it, executing the malicious content from the document.cookie .

The browser finds the JavaScript code in the HTML body and executes it.

JavaScript communicate between different domains by using iframes and cross Origin Policy. This can be achived with iframes and windows objects. This property mostly used for rendering ads on the domains and all

How To use/Embed communicate with postMessage event??

· By invoking postMessage method or by setting onmessage event handler we can communicate with the postMessage. Here we are using “postMessage” method with the iframe so with iframe can communicate with the postMessage event.

· For sending message from one document to another document, begin obtaining a reference to the window by its “contentWindow” property.

contentWindow.postMessage(message, targetOrigion,transfer)

· contentWindow: To reference used <iframe> from its parent window.

· Message: Data in form of string or object that we want to send to receiving window while communicating.

· TargetOrigin: Domain to which message should have to be sent or domain which have the postMessage event with which we want to communicate.

We need to invoke the eventlistner event on the website using postMessage and must execute some of the malicious script on the domain.

We first need to check whether the website have the ability to receive data from the postMessage event so we can communicate with it and can execute my malicious script on the domain.

While crawling I noticed that source code of home page uses “addEventListener“.

In above script event listener is defining a message with a function that will display the data received on the webpage. Therefore, we have to craft a payload which sends data to this eventlistener which will be directly displayed on the webpage.The payload which we will use to invoke the postmessage call is

<iframe src=”<Application URL>” onload=”this.contentWindow.postMessage(‘<img src=1 onerror=alert(document.cookie)>’,’*’)”>

The src attribute will have the URL of the application which have this event.

And we are posting malicious script tags using the post message event.

After inserting src:

As we know, “Window.postMessage” enable secure communication between windows/frames that are hosted on different domains. So when iframe tag loads, “postmessage()” method sends a message to a domain where event listener exists which take message and inserts it into div tag . So as in our payload “img” attribute has invalid “src” which throws an error and “onerror” event handler executes. As soon “onerror” methods invokes due the invalid src attribute the website will experience a popup with the cookie assigned by the website.

So that how we can use the postMessage function for the malicious purposes.

As we saw in above example DOM-XSS happens at client side as payloads can not reach the server.

· If you are using “eventlistener” which is used to render the data from different domains, it is advised that you use domain whitelisting from which the message can be posted.

· Mostly root cause resides in the code, which is client side.

· Use ‘Accept known good’ input validation technique to sanitize client side code by inspecting DOM objects and it’s references i.e. Any data that doesn’t match expectation should be rejected. Validation routines should check the data for length, type and format.

· Avoid direct redirection of client side data towards client side where some sensitive actions are performed.

· Can use any (IPS/IDS) that can inspect Dom objects and take appropriate actions.