postMessage “sophisticated” csrf

The javascript postMessage api allows communication between iframes and windows on different origins. However the window\iframe where you send the message must be listening to it. The point is that many developers listen to messages without checking their origin which allows you to embed the vulnerable site in an iframe and attack it using a sophisticated csrf which triggers your desired actions in the iframe using the postMessage api.
So when doing a pentesting or code review, you should always check for window.addEventListener(‘message’,…); and verify that the handling code is not vulnerable to this “sophisticated” csrf attack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s