• Infosec In the City (IIC)

Deep Dive Into postMessage Security — by Tatiana Mikhailova

Updated: Dec 26, 2020

SINCON 2020 Conference Insights Track


Day 2 (3 Jan 2021)

2pm—2.45pm

@ Main Stage


[SINCON 2020 Conference Full Schedule]


Abstract

Web technologies are developing fast and the client-side of web applications is becoming more and more complicated. Among a variety of JavaScript functionality, PostMessage mechanism is an interesting and simple way for cross-domain communication. However, there are still a lot of pitfalls in postMessage implementation that make the web applications vulnerable.


In the first part of the speech, I am going to talk about the history of cross-domain communication and the purpose of postMessage mechanism.


In the second part, I will show the security issues of the mechanism and different ways of its exploitation including interesting tricks.


Finally, I will talk about an approach of searching such vulnerabilities and its automation.


About Tatiana Mikhailova

TATIANA MIKHAILOVA is an Information security researcher and pentester.

57 views0 comments
 
  • Facebook
  • Twitter
  • YouTube

Contact Us

Terms of Use | Code of Conduct | Privacy Policy

All rights reserved.

IIC Productions (Pte. Ltd.) © 2017-2021.