Posta : Cross-document Messaging Security Research Tool

Posta is a tool for researching Cross-document Messaging communication. It allows you to track, explore and exploit postMessage vulnerabilities, and includes features such as replaying messages sent between windows within any attached browser.

Prerequisites

  • Google Chrome / Chromium
  • Node.js (optional)

Installation

Development Environment

Run Posta in a full development environment with a dedicated browser (Chromium):

  • Install Posta

git clone https://github.com/benso-io/posta
cd posta
npm install

  • Launch the dedicated Chromium session using the following command:

node posta<URL>

  • Click on the Posta extension to navigate to the UI

Dev mode includes a local web server that serves a small testing site and the exploit page. When running in dev mode, you can access the exploit page at http://localhost:8080/exploit/

Chrome Extension

Run Posta as a Chrome / Chromium Extension

Clone the repo:

git clone https://github.com/benso-io/posta.git

  1. Navigate to chrome://extensions
  2. Make sure Developer mode is enabled
  3. Click on Load unpacked
  4. Choose the chrome-extension directory inside Posta and upload it to your browser
  5. Load the extension
  6. Pin the extension to your browser
  7. Browse to the website you would like to examine
  8. Click on the Posta extension to navigate to the UI

Tabs

In the Tabs section we can find our main Origin, with the iframes it hosts and communicates with through the session. We can choose the specific frame by clicking on it, and observe the postMessages related to that frame only.

Messages

In the Messages section, we can inspect all postMessage traffic being sent from the origin to its iframes, and vice versa. We can select specific communication for further examination by clicking on it. The Listeners area presents the code which is in charge of handling the communication, we can click and copy its contents for JS code observation.

Console

In the console section, we can modify the original postMessage traffic, and replay the messages with the tampered values which will be sent from the Origin to its iframe.

We should make tests and see if we can affect the behavior of the website by changing the postMessage content. If we manage to do so, it’s time to try and exploit if from a different Origin, by clicking “Simulate exploit”.

Exploit

Click on the “host” button inorder to navigate to the exploitation window.

In the Exploit section, Posta will try and host the specified origin as an iframe in order to initiate postMessage communication. Most of the time we won’t be able to do so, due to X-Frame-Options being enabled on the origin website.

Therefore, in order to continue with our exploitation, we’ll need to gain communication reference with our Origin by initiating the window.open method, which can be achieved by clicking on “Open as tab”.

We have the console to our right which will help us modify and craft our specified payloads and test them in Cross-Origin Communication, initiated by clicking on the Exploit button.

R K

Recent Posts

Install Mono on Ubuntu 18.04: C# Compiler and Runtime Guide

Running programs built for Microsoft's framework on a Linux system is easier than you think. Mono is…

2 hours ago

Install OpenCV on Ubuntu 18.04: Step-by-Step Setup Guide

Computer vision technology powers many modern applications, from image editors to facial scanners. OpenCV (Open Source Computer…

2 hours ago

Install VNC on Ubuntu 18.04: Step-by-Step TigerVNC Setup

A remote desktop interface makes it easy to manage a remote computer. VNC (Virtual Network Computing) is…

3 hours ago

Install Gitea on Ubuntu 18.04: Self-Hosted Git Service Guide

Hosting your own code repositories is a great way to keep your projects private. Gitea is a…

3 hours ago

Install Java on Ubuntu 18.04: OpenJDK 11 and OpenJDK 8

Many modern programs require Java to run. From development tools like Eclipse to search systems…

3 hours ago

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

1 day ago