Skip to content

birch-jayton/message-postinator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits

public

public

 
 

src

src

 
 

.eslintrc.cjs

.eslintrc.cjs

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

.prettierignore

.prettierignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

index.html

index.html

 
 

package.json

package.json

 
 

pnpm-lock.yaml

pnpm-lock.yaml

 
 

tsconfig.json

tsconfig.json

 
 

tsconfig.node.json

tsconfig.node.json

 
 

vite.config.ts

vite.config.ts

 
 

Repository files navigation

message-postinator

A tool for testing the security of apps that leverage postMessage()

Try it now: postinator.jaytonbirch.com

Screenshot 2023-10-09 at 10 25 06 AM

What is this for?

The problem

A web client is vulnerable to poisonous messaging when it:

  • reflects user-defined iframes
  • listens for messages without source-checking

Check out the mdn docs regarding security concerns with postMessage()

Using message-postinator

Blaster Builder

message-postinator can be used to build webpages that post messages that you define to the frame's parent. You can then test web apps that reflect user-defined iframes by using the message blaster that you created.

Playground

You can test your Blasters in the playground

About

postMessage() vulnerability tester

Topics

security-audit frontend reactjs appsec appsecurity

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages