XSS with HTML5 postMessage()

This is going to be a technical dive into the new HTML5 postMessage() method which can be exploited to launch XSS attacks against a site which otherwise was properly filtering client provided input.

The Method

The postMessage() method was created to enable cross-document messaging from applications on separate domains. In other words, it effectively side steps the same-origin policy allowing applications to send and receive data to and from each other. Here is the syntax for the method:

otherWindow.postMessage(message, targetOrigin, [transfer]);

Let’s take the following example:

Site A has a nested iframe of Site B, which is on a separate domain:

If Site A wants to read content from Site B using a script like this:

Site A:

<iframe src="http://site-b.net/" name="siteb"></iframe>

<script>
document.getElementsByName('siteb')[0].onload = function() {

Since the release of the OpenSSL Heartbleed attack, there have been many scripts, websites, and offered services to perform checks on whether a site is vulnerable to this devastating attack. Each check has its benefits and specific application; I am providing another solution which is a Maltego Transform based on the ssltest.py script by Jared Stafford (jspenguin@jspenguin.org).

You will need the following two files in order to set this up:

1.) MaltegoTransform-py.zip (Maltego Basic Python Library)
http://www.paterva.com/web6/documentation/MaltegoTransform-Python.zip

2.) maltego_heartbleedtest.py (The Custom Maltego Transform)
https://github.com/DisK0nn3cT/MaltegoHeartbleed

Once you have downloaded the files, move the MaltegoTransform.py file to your python library directory and the maltego_heartbleedtest.py into a directory of your liking (remember this directory for later).

Now...