HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities

HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer!

Pages can send messages with code like this:

var childWin = window.open("http://www.example.org","child"); childWin.postMessage("Message for ya!","*");

A page can register itself for receiving messages with a line like the following:

function checkMessage(message) { 
    alert("Got a message! Contents: " + message.data); 
}
window.addEventListener("message", receiveMessage, false);

There’s essentially two possible security issues with postMessages, the first is the disclosure of sensitive information. The second issue is pages that process data from any origin can be vulnerable to cross-site scripting attacks.

Disclosure of sensitive information can occur if a message is sent to all domains through the wildcard domain. Our example above shows this as the postMessage() function uses the wildcard domain: “*”. This means that any open domain can capture messages and their contents!

Cross-site scripting can occur is data originating from a message is processed through a function such as document.write(), by using the message data to update innerHTML or outerHTML, or updating the location.href. It’s up to the developer to ensure the origin is sufficiently and securely checked!

Defending against HTML5 postMessage vulnerabilities is fairly simple:

• The receiving page should ensure that the origin is the expected location
• The receiving page should ensure that received data is validated to ensure that it’s safe
• The sending page should set an explicit domain as the second parameter to the postMessage() function, not the wildcard “*”.

Additionally be careful with the method of validating the origin domain, code such as: if(message.orgin.indexOf(“example.org”)!=-1) is insufficient as it allows for domains like example.org.attacker.com to be used. Also regular expressions such as RegExp(“^https://www.example.org$”) are insufficient as the full stop character “.” is actually a regular expression wildcard meaning that wwwxexample.org would match!