PostMessage Xss vulnerability on private program

3 years ago 195
BOOK THIS SPACE FOR AD
ARTICLE AD

Youghourta Ghannei

First to understand postMessage xss attack you need to understand this two things :

postMessage:

The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.

postMessage xss :

is a dom based xss that is happened when the postMessage is not implemented properly(without origin verification) , and untrusted data received from other host are added to the dom without any filtration

Start :

while i was doing some research on a website of a private program , I got a notification from postMessage-tracker (extension on google chrome which notify you when a postmessage interaction is detected ) .

notification from postMessage tracker

after getting this notification i thought maybe I can find something juicy , and exploit some vulnerability .

after searching on all this postMessages , I found this one :

postMessage script

you can see the “message” event listener is added here and waiting for postMessage without any verification of the Origin host.

and there are some if conditions (it is normal to be passed because it only depends on the message which will be sent from the attacker host )

there are 2 functions that you need to understand here :

1 — “getDataFromEvent”

2 — “createFloatingPageElement”

creatFloatingPageElement function

getDataFromEvent function

getDataFromEvent” : used to extract the data from the received message (which is called in our case event you can see the postMessage script figure and you will notice the name of the variable in the addEventListener is called “event”)

createFloatingPageElement” : used to create an iframe inside the dom ,

this iframe contain 3 controlled attributes ; src,name,id

the value of this three attributes are gathered from the postMessage sent from the attacker host .

and as you can see there is no sanitizing for this three values inside the js code .

as you can see in the “createFloatingPageElement” figure this is the main part :

<iframe src=”${url}” name=”${name}” id=”${id}”></iframe>

this three variables ($url , $name,$id) are passed on parameters of the function “createFLoatingPageElement” , and the values of this values are gained after fetching the data of the message using “getDataFromEvent” function .

now after understanding the code we need to exploit this vulnerability , the only way is to add inline EventListener inside the iframe like (onclick , onload , onerror ,….)

so we think to make the iframe looks like that :

<iframe src=”url” onload=”document.cookie” name=”name” id=”id”></iframe>

so here we need to send a payload in some parameters and send it on postMessage and the payload should look like that :

<script>
function SendMessage() {
var IframeElement = document.getElementById('VulnerableSiteIframe');
var message = {"message":"e:openFloatingPage","data":{
"id":"1234gghq",
"name":"tayba",
"url":"https://www.framable.com\"+onload=alert()"
}};
IframeElement.contentWindow.postMessage(message, '*');
};
<iframe id="VulnerableSiteIframe" height="400" width="1024" src="https://redacted.com/bootstrap.php" onload="SendMessage()"></iframe>
</script>

now after using this payload , i found that the page is using x-frame-options header is used on sameorigin mode so i can not exploit this xss on this page .

i was disappointed but i thought maybe i can find other page .

i used dirsearch to find any other page .

and i found many pages but all of it redirect me to the first page (bootstrap.php ) , only one page does not do that which is download.php

after trying to access this page i got this error :

“invalid parameters !!!”

when i read this error , the first thing in my mind is Arjun .

i used arjun to find any hidden parameters and finally, i was able to find one parameter that leads me to see a normal error page that contains also the same postMessage problem and without any x-frame-options header .

the parameter as you can see is “p”

after trying random value for “p” parameter this is the result of the page :

as you can see the notification from the postMessage tracker extension is the same as the first figure .

and here as you can see we was able to frame this page :

now we can frame this page and send the payload and see how it will work .

<script>
function SendMessage() {
var IframeElement = document.getElementById('VulnerableSiteIframe');
var message = {"message":"e:openFloatingPage","data":{
"id":"1234gghq",
"name":"tayba",
"url":"https://www.anything.com\"+onload=alert(document.cookie)"
}};
IframeElement.contentWindow.postMessage(message, '*');
};
<iframe id="VulnerableSiteIframe" height="400" width="1024" src="https://redacted.com/download.php?p=jjjj" onload="SendMessage()"></iframe>
</script>

the url attribute of the object “data” should contain a real url because of the isUrl check (you can see it in the figure “createFloatingPageElement”) , will verify that there are https://anyurl.com/anythingyouwant

now after sending this payload we got the result :

you can see the xss popup .

thanks for reading this write up i hope you got some benefits from it .

Read Entire Article