As security specialists, we have been exposed to countless exploitations, including the classic and well known OWASP Top 10 vulnerabilities, such as XSS, CSRF, SSRF and authorization bypass. However, we were also introduced to vulnerabilities that were less visible and received less publicity, such as WebSockets, cross-origin communication, and Origin Policy.
Why were these important vulnerabilities overlooked? Was it due to merely being less popular? Was it a lack of information and prior knowledge about their source and abilities? Maybe due to a lack of tools to analyze them?
When we began to discuss these questions with colleagues, we quickly realized that many security specialists weren’t even aware of the existence of the attacks in which these vulnerabilities were used, and certainly did not make an effort to thoroughly understand them.
As a result, we decided to research these implementations several years ago. Upon analyzing them, we found several interesting insights, such as:
Our research focused on Cross-document Messaging, and revealed 15 vulnerabilities, identified in various companies in the industry. Note that due to company privacy considerations, some of the sources will not be exposed in this review.
The following guide will attempt to summarize the results of our research and analysis in order to shed light on the fundamentals, research methodologies, and the tools that can be used to help us understand these overlooked vulnerabilities.
We hope you make use of this comprehensive report to strengthen your organization’s security posture. As a community, we encourage AppSec practitioners to continue to contribute joint knowledge and experience on this important topic.
Barak Tawily, CTO, Enso Security