SINCON 2020 Conference Insights Track
Day 2 (3 Jan 2021)
2pm—2.45pm
@ Main Stage
Abstract
Web technologies are developing fast and the client-side of web applications is becoming more and more complicated. Among a variety of JavaScript functionality, PostMessage mechanism is an interesting and simple way for cross-domain communication. However, there are still a lot of pitfalls in postMessage implementation that make the web applications vulnerable.
In the first part of the speech, I am going to talk about the history of cross-domain communication and the purpose of postMessage mechanism.
In the second part, I will show the security issues of the mechanism and different ways of its exploitation including interesting tricks.
Finally, I will talk about an approach of searching such vulnerabilities and its automation.
About Tatiana Mikhailova
TATIANA MIKHAILOVA is an Information security researcher and pentester.