Automatic Detection of Insecure postMessage Usages in Single Sign-On (Bachelor)


Supervision: Louis Jannett, Christian Mainka, Vladislav Mladenov

Start date: immediately

More details:


The main goal of this thesis is the extension of an automated tool that was built to capture HTTP requests and responses issued during Single Sign-On flows on websites. You are challenged to extend this tool such that it also automatically evaluates the security of postMessage [1] in the captured Single Sign-On flows. Although the tool already detects the usage of postMessage, it does not provide information on the postMessage security checks [2] and whether they are implemented securely.

The thesis consists of three parts:

  • Preparation: Develop a method to detect, capture, and analyze the postMessage security checks as an in-browser solution (i.e., Chrome Extension).
  • Tool Extension: Extend the capturing tool to likewise log the postMessage security checks, along with the message payload. Missing or insufficient checks should be detected as well.
  • Evaluation: Run the tool and record the SSO login flows and postMessage checks on the most-visited websites.




  • You know the basics of OAuth 2.0 [3], OpenID Connect 1.0 [4], and postMessage [1].
  • You are familiar with the Same Origin Policy and Document Object Model. I.e., you know about window.parent, window.opener, and window.frames.
  • You can solve this challenge and run alert(1):