HTML5 PostMessage Security: Protecting Cross-Origin Communication

HTML5 introduced a powerful feature called postMessage that allows secure communication between different origins or domains. While this functionality provides a convenient way to exchange data across frames or windows, it also poses potential security risks if not implemented correctly. In this article, we will explore the security considerations of using postMessage and discuss best practices to protect cross-origin communication. Understanding postMessage postMessage is an HTML5 feature that enables asynchronous communication between different browsing contexts.

Content Security Policy (CSP)

Content Security Policy (CSP) is a security measure that helps protect web applications from various attacks, including Cross-Site Scripting (XSS) and data injection. CSP works by specifying a set of Content Security Rules that dictate what resources are allowed to load on a page. This can be used to whitelist trusted sources of content, or to block untrusted content entirely. One advantage of Content Security Policy is that it can help to prevent malicious code from running on a page.

New Project!

Today I started a new project that I’ve been thinking about for awhile. It’s located at – It is a growing collection of interesting links that I’ve found regarding varying application security topics. The basic site is up and the plumbing is there. Just need to add more content. Check it out!

New Burp Extension – Perfmon

Just whipped together a new Burp extension called perfmon (not to be confused with the Windows tool of the same name). I was really interested in the the resource usage of Burp while doing certain activities. It adds a new tab to Burp and samples every 5 seconds- Current and max number of threads in use Current and max memory used Current and max memory allocated Ticker to set how often the stats update.

Secure Design Principles

Sitting here on a cold, snowy day thinking about secure design principles. These are key to think about during the design phase of a feature/project? Total Mediation – every access to every resource must be validated every time Economy of Mechanism – keep it as simple as possible Fail-Safe – in case of failure, default to a secure state Defense in Depth – layer security Open Design – the security of a system should not be dependent on secrecy of its design or implementation

2 Gems Updated

PwnedCheck PwnedCheck is a gem that checks to see if an email address or user handle has been involved in a breach. How to Install How to Use Jekyll-Clicky Jekyll-clicky is a gem to add clicky analytics to a site generated with Jekyll. Installation Add this line to your application’s Gemfile: And then execute: Or install it yourself as: ### Usage Add- to _config.yml in your jekyll site directory. Replace ### with the id of your clicky site.

Extending Burp at DerbyCon VII

Just finished my talk about extending Burp at Derbycon VII. Thanks to everyone that attended! I’m really thankful for the opportunity to present on the topic. The Details- Slides – Video in Slides (Slide 14) Source Code – Video of the Presentation I’d love to hear any comments/questions.