top of page
Writer's pictureInfosec In the City (IIC)

Deep Dive Into postMessage Security — by Tatiana Mikhailova

Updated: Dec 26, 2020

SINCON 2020 Conference Insights Track


Day 2 (3 Jan 2021)

2pm—2.45pm

@ Main Stage



Abstract

Web technologies are developing fast and the client-side of web applications is becoming more and more complicated. Among a variety of JavaScript functionality, PostMessage mechanism is an interesting and simple way for cross-domain communication. However, there are still a lot of pitfalls in postMessage implementation that make the web applications vulnerable.


In the first part of the speech, I am going to talk about the history of cross-domain communication and the purpose of postMessage mechanism.


In the second part, I will show the security issues of the mechanism and different ways of its exploitation including interesting tricks.


Finally, I will talk about an approach of searching such vulnerabilities and its automation.


About Tatiana Mikhailova

TATIANA MIKHAILOVA is an Information security researcher and pentester.

121 views0 comments

Comments


Post: Blog2_Post
bottom of page