postMessage-tracker-f ავტორი Hacks and Hops

postMessage-tracker-firefox

This is a super simple port of the extension with added potentially vulnerable function highlighting. All credit goes to Frans Rosén.

Code
This addon is free and open-source software (FOSS) all code can be found here: https://github.com/ACK-J/postMessage-tracker-firefox/tree/master
Please report your bugs or feature requests in a GitHub issue instead of in a review.

Description
Made by Frans Rosén. Presented during the "Attacking modern web technologies"-talk(Slides) at OWASP AppSec Europe back in 2018, but finally released in May 2020.

This Firefox extension monitors postMessage-listeners by showing you an indicator about the amount of listeners in the current window.

It supports tracking listeners in all subframes of the window. It also keeps track of short-lived listeners and listeners enabled upon interactions. You can also log the listener functions and locations to look them through them at a later stage by using the Log URL-option in the extension. This enables you to find hidden listeners that are only enabled for a short time inside an iframe.

It also shows you the interaction between windows inside the console and will specify the windows using a path you can use yourself to replay the message:

It also supports tracking communication happening between different windows, using `diffwin` as sender or receiver in the console.

Features

• Supports Raven, New Relic, Rollbar, Bugsnag and jQuery wrappers and "unpacks" them to show you the real listener.
• Tries to bypass and reroute wrappers so the Devtools console will show the proper listeners:
• Allows you to set a Log URL inside the extension options to allow you to log all information about each listener to an endpoint by submitting the listener and the function (to be able to look through all listeners later). You can find the options in the Extension Options when right-clicking the extension -> Manage Extension -> Preferences :
• Supports anonymous functions. Chrome (Unsure about Firefox) does not support to stringify an anonymous function, in the cases of anonymous functions, you will see the `bound`-string as the listener: