Web messaging exploiter

The web messaging exploiter is a tool for monitoring and attacking web messaging that allows websites to send and receive data from iFrames. The messages are sent locally between the parent-page and the iFrame, and cannot be seen on any proxy tool! The web messaging exploiter is a webpage-proxy, which sits between the website and the iFrame, shows the traffic and enables sending your own traffic.

Web messaging exploiter's URL address

http://attacker-site.com/html5/web_messaging/web_messaging_exploiter.htm

Web messaging proxy's URL address

http://attacker-site.com/html5/web_messaging/web_messaging_proxy.htm

This tool is based on the HTML5_attack_framework.

Demo

You can easily see how it works by browsing to the web messaging exploiter in one tab, and opening the web messaging victim parent in the second tab.

The victim parent sends the same message to the victim client and the victim client sends back a response every five seconds. You will see their conversations and be able to send them your own message using the web messaging exploiter page.

How to use it

Let's define some terms:

Web Messaging Exploiter – the Web Messaging Exploiter page.

Proxy-page – The web messaging proxy page.

Victim-parent – The web page that contains the iFrame.

Victim-client – The webpage that is in the iframe in the victim-parent page.

How to set it:

Open the Web Messaging Exploiter page and set the victim-client's URL address.
Open the victim-parent page, and change the iFrame address to the proxy-page.
If there is any validation, you should remove it:

a. The method that is being used to send a message to the iFrame/parent called postMessage, and the call looks like this:

XXX.postMessage(msg, domain);

So, change the domain to asterisk ("*") in the parent and in the iFrame.

b. If there is validation on the origin in the part of the code that reads the messages, remove it.

Now the victim-parent page loaded the web-messaging-proxy-page, the proxy-page loads the victim-client that should be loaded in the parent. Notice that you can change the iFrame URL in the web messaging exploiter even after the web messaging proxy has loaded and it will take effect immediately.

You can also send your own messages to the parent / client with the web messaging exploiter page, to try to inject / manipulate them.

Exploit the iFrame alone

Browse directly to the web messaging proxy page.
Open the exploiter page. Set the URL address of the victim-client. The proxy will load it within half a second. Now you can send messages to the iFrame and attack it.

Risks of Web Messaging vulnerability:

XSS (Cross Site Scripting), if the website handled the input insecurely
CSRF, if the website performs actions on users without validating the origin of the messages.
Information leakage, if the website discloses user information without proper validation of the destination origin.

* Name:
* Email:
* Phone:
Company:

Application Security

Our Latest Tools

New Tool Launch - Belch 1.0.13

Check it out!! (click here)

New Android Penetration Testing Platform-

Our Books

Managed Code Rootkits

by Erez Metula

Contact Us

You are here