A tool for testing the security of apps that leverage postMessage()
Try it now: postinator.jaytonbirch.com
![Screenshot 2023-10-09 at 10 25 06 AM](https://private-user-images.githubusercontent.com/22551809/273652777-60a8dcc2-b85e-4c20-9dd9-6c48327e0847.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjE0NjAyNjYsIm5iZiI6MTcyMTQ1OTk2NiwicGF0aCI6Ii8yMjU1MTgwOS8yNzM2NTI3NzctNjBhOGRjYzItYjg1ZS00YzIwLTlkZDktNmM0ODMyN2UwODQ3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjAlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzIwVDA3MTkyNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTI3Mzg4MDgzZmVlNTQ4ZTQ5MmFlNDVhZTc1ZGFjNDE0NTc1ZDEzN2Q0YTYwMGMxMDc1OTU2YTEzYWQ1ZTI0YzkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.F6NRt09cyIpXejP6wNnB3J2rBDd99hXB7wTMqVyy2a0)
A web client is vulnerable to poisonous messaging when it:
- reflects user-defined iframes
- listens for messages without source-checking
Check out the mdn docs regarding security concerns with postMessage()
message-postinator can be used to build webpages that post messages that you define to the frame's parent. You can then test web apps that reflect user-defined iframes by using the message blaster that you created.
You can test your Blasters in the playground