Automatic Detection of Insecure postMessage Usages in Single Sign-On (Bachelor)

Global

Supervision: Louis Jannett, Christian Mainka, Vladislav Mladenov

Start date: immediately

More details:

Description

The main goal of this thesis is the extension of an automated tool that was built to capture HTTP requests and responses issued during Single Sign-On flows on websites. You are challenged to extend this tool such that it also automatically evaluates the security of postMessage [1] in the captured Single Sign-On flows. Although the tool already detects the usage of postMessage, it does not provide information on the postMessage security checks [2] and whether they are implemented securely.

The thesis consists of three parts:

  • Preparation: Develop a method to detect, capture, and analyze the postMessage security checks as an in-browser solution (i.e., Chrome Extension).
  • Tool Extension: Extend the capturing tool to likewise log the postMessage security checks, along with the message payload. Missing or insufficient checks should be detected as well.
  • Evaluation: Run the tool and record the SSO login flows and postMessage checks on the most-visited websites.

Referenzen:

  1. https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
  2. https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging
  3. https://datatracker.ietf.org/doc/html/rfc6749
  4. https://openid.net/specs/openid-connect-core-1_0.html

Requirements

  • You know the basics of OAuth 2.0 [3], OpenID Connect 1.0 [4], and postMessage [1].
  • You are familiar with the Same Origin Policy and Document Object Model. I.e., you know about window.parent, window.opener, and window.frames.
  • You can solve this challenge and run alert(1): https://bit.ly/3hjrH5I