posted on 2023-11-29, 18:13authored byMarius Steffens, Ben StockBen Stock
The Web has become a platform in which sites rely on intricate interactions that span across the boundaries of origins. While the Same-Origin Policy prevents direct data exchange with documents from other origins, the postMessage API offers one relaxation that allows developers to exchange data across these boundaries. While prior manual analysis could show the presence of issues within postMessage handlers, unfortunately, a steep increase in postMessage usage makes any manual approach intractable.To deal with this increased work load, we set out to automatically find issues in postMessage handlers that allow an attacker to execute code in the vulnerable sites, alter client-side state, or leak sensitive information.
To achieve this goal, we present an automated analysis framework running inside the browser, which uses selective forced execution paired with lightweight dynamic taint tracking to find traces in the analyzed handlers that end in sinks allowing for code-execution or state alterations. We use path constraints extracted from the program traces and augment them with Exploit Templates, i.e., additional constraints, ascertaining that a valid assignment that solves all these constraints produces a code-invoking or state-manipulating behavior. Based on these constraints, we use Z3 to generate postMessages aimed at triggering the insecure functionality to prove exploitability, and validate our findings at scale.
We use this framework to conduct the most comprehensive experiment studying the security issues of postMessage handlers found throughout the top 100,000 most influential sites yet, which allows us to find potentially exploitable data flows in 252 unique handlers out of which 111 were automatically exploitable.
History
Preferred Citation
Marius Steffens and Ben Stock. PMForce: Systematically Analyzing PostMessage Handlers at Scale. In: ACM Conference on Computer and Communications Security (CCS). 2020.
Primary Research Area
Empirical and Behavioral Security
Secondary Research Area
Threat Detection and Defenses
Name of Conference
ACM Conference on Computer and Communications Security (CCS)
Legacy Posted Date
2020-07-29
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3164,
title = "PMForce: Systematically Analyzing PostMessage Handlers at Scale",
author = "Steffens, Marius and Stock, Ben",
booktitle="{ACM Conference on Computer and Communications Security (CCS)}",
year="2020",
}