top of page
  • Writer's pictureInfosec In the City (IIC)

Deep Dive Into postMessage Security — by Tatiana Mikhailova

Updated: Dec 26, 2020

SINCON 2020 Conference Insights Track

Day 2 (3 Jan 2021)


@ Main Stage


Web technologies are developing fast and the client-side of web applications is becoming more and more complicated. Among a variety of JavaScript functionality, PostMessage mechanism is an interesting and simple way for cross-domain communication. However, there are still a lot of pitfalls in postMessage implementation that make the web applications vulnerable.

In the first part of the speech, I am going to talk about the history of cross-domain communication and the purpose of postMessage mechanism.

In the second part, I will show the security issues of the mechanism and different ways of its exploitation including interesting tricks.

Finally, I will talk about an approach of searching such vulnerabilities and its automation.

About Tatiana Mikhailova

TATIANA MIKHAILOVA is an Information security researcher and pentester.

119 views0 comments


Post: Blog2_Post
bottom of page