Scribd
Upload
26 views8 pages

Postmessage XSS Demo Lab

The document describes a postMessage XSS demonstration using Amazon S3 to host three separate websites on different origins. It explains how a malicious website can exploit vulnerabilities to execute an XSS payload in Window A and steal data from Window B due to lack of origin checking. The document encourages reviewing the code and provides a GitHub link for access to the source code.

Uploaded by

jimmybreak44
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views8 pages

Postmessage XSS Demo Lab

The document describes a postMessage XSS demonstration using Amazon S3 to host three separate websites on different origins. It explains how a malicious website can exploit vulnerabilities to execute an XSS payload in Window A and steal data from Window B due to lack of origin checking. The document encourages reviewing the code and provides a GitHub link for access to the source code.

Uploaded by

jimmybreak44
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

postMessage XSS demo lab

Using Amazon S3, which is an AWS service, I’ve uploaded the code that we just looked at in the
prior lesson to create 3 separate websites, so that they’re all on different origins.

If you don’t know how to use S3, don’t worry, you can just follow along.

Amazon S3 auto-generates our website URL so that’s the 3 URLs I’ll be using to access each
window, and you’ll recognize these URLs as having been hardcoded in our sample code (which
you can access here):

● Window A:
http://cybr-lab-postmessage-xss.s3-website-us-east-1.amazonaws.com/window_a.html
● Window B:
http://cybr-lab-postmessage-xss-notifs.s3-website-us-east-1.amazonaws.com/window_b.
html
● Malicious website;
http://cybr-lab-postmessage-xss-attack.s3-website-us-east-1.amazonaws.com/

Amazon S3 static websites

When we open window ​A​, everything works as expected. We see the number of notifications
returned from the window ​B ​iframe and postMessage. We can see the messages in our console
logs.

© Cybr, Inc. All Rights Reserved


Window A

© Cybr, Inc. All Rights Reserved


Window A iframe

© Cybr, Inc. All Rights Reserved


Window A console

Next, if we open our malicious website window and we click on the button, it will open window ​A
as you can see by the URL, but after a few seconds, it will pop open a dialog window which is
from our XSS payload, so we have a successful payload execution in window ​A​ ​from the
malicious_window​!

© Cybr, Inc. All Rights Reserved


Malicious website

© Cybr, Inc. All Rights Reserved


Window A XSS from malicious website

You will also notice if you open the console for ​malicious_window​, that the iframe is included,
and as a result, we’re able to steal data from window ​B​. This is possible for two reasons:

We’re able to embed window ​B ​as an iframe


Window ​B ​is not checking who the origin is

© Cybr, Inc. All Rights Reserved


Window attacker iframe

© Cybr, Inc. All Rights Reserved


Stolen data from window B

Conclusion
Take some time to look through the code and examples, because this can be a bit confusing
since there are multiple different windows and messages to keep track of. For access to the
source code, check out the link on GitHub:
https://github.com/Cybr-Inc/postMessage-XSS-Demo​.

The demo that I’m showing in this lesson was setup in Amazon S3 which is an AWS service that
you can use for free with the free tier, so feel free to play around with it yourself if you’d like!

Alright, now that we’ve sufficiently exploited this scenario, let’s complete this lesson, and let’s
move on to the next where we’ll explain how to protect against the attacks we just
demonstrated.

© Cybr, Inc. All Rights Reserved

You might also like