FrogPost: postMessage Security Testing Tool
FrogPost is a powerful Chrome extension for testing and analyzing the security of postMessage
communications between iframes. It helps developers and security professionals identify vulnerabilities in message-handling implementations.
Key Features
- Live monitor of cross-origin
postMessage
traffic - Automatic detection and analysis of message handlers
- Static and runtime analysis for DOM-based vulnerabilities
- Identification of missing origin checks and unsafe sinks
- Targeted fuzzing of insecure handlers
- Detailed security reports with payload suggestions
- Passive Listener Detection
- Callback Integration Fix
- XSS Payload Library
- POC Builder
Usage Highlights
- Observe: Load any site with iframes. FrogPost captures
postMessage
exchanges. - Analyze: Click ▶ to begin handler analysis. Static fallback analysis is applied if runtime fails.
- Trace: Use ✨ to trace data flows, detect DOM sinks, and generate security payloads.
- Fuzz: Launch 🚀 to test vulnerable endpoints using crafted fuzzing payloads.
Dashboard at a Glance
- ▶ Play – Start handler detection and capture
- ✨ Trace – Static sink and flow analysis
- 📋 Report – Show results & Insights
- 🚀 Launch – Begin fuzzing vulnerable handlers
- Check All – Analyze all endpoints
- Clear Messages – Reset state and logs
- Export – Download captured messages
- Refresh – Manually update messages
- Debug Toggle – Verbose logging in console
- → Send to Origin – Replay to sender
- → Send to Destination – Replay to receiver
Panels
- Hosts Panel – Shows the main page and iframe connections
- Messages Panel – Intercepted
postMessage
traffic - Security Report – DOM XSS and origin check findings