A tool for testing the security of apps that leverage postMessage()
Try it now: postinator.jaytonbirch.com
A web client is vulnerable to poisonous messaging when it:
- reflects user-defined iframes
- listens for messages without source-checking
Check out the mdn docs regarding security concerns with postMessage()
message-postinator can be used to build webpages that post messages that you define to the frame's parent. You can then test web apps that reflect user-defined iframes by using the message blaster that you created.
You can test your Blasters in the playground