postMessage “sophisticated” csrf

The javascript postMessage api allows communication between iframes and windows on different origins. However the window\iframe where you send the message must be listening to it. The point is that many developers listen to messages without checking their origin which allows you to embed the vulnerable site in an iframe and attack it using a sophisticated csrf which triggers your desired actions in the iframe using the postMessage api.
So when doing a pentesting or code review, you should always check for window.addEventListener(‘message’,…); and verify that the handling code is not vulnerable to this “sophisticated” csrf attack.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s