├── LICENSE
├── README.md
└── firefox
├── background.js
├── content_script.js
├── icons
├── logo-200x200.png
├── logo-48.png
└── logo-96.png
├── manifest.json
├── options.html
├── options.js
├── popup.html
└── popup.js
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 Frans Rosén
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | [
](https://addons.mozilla.org/en-US/firefox/addon/postmessage-tracker-f/)
2 |
3 | # postMessage-tracker-firefox
4 |
5 | This is a super simple port of the extension with added potentially vulnerable function highlighting. All credit goes to Frans Rosén.
6 |
7 | Made by [Frans Rosén](https://twitter.com/fransrosen). Presented during the ["Attacking modern web technologies"-talk](https://www.youtube.com/watch?v=oJCCOnF25JU) ([Slides](https://speakerdeck.com/fransrosen/owasp-appseceu-2018-attacking-modern-web-technologies)) at OWASP AppSec Europe back in 2018, but finally released in May 2020.
8 |
9 | 
10 |
11 |
12 | This Firefox extension monitors postMessage-listeners by showing you an indicator about the amount of listeners in the current window.
13 |
14 | It supports tracking listeners in all subframes of the window. It also keeps track of short-lived listeners and listeners enabled upon interactions. You can also log the listener functions and locations to look them through them at a later stage by using the Log URL-option in the extension. This enables you to find hidden listeners that are only enabled for a short time inside an iframe.
15 |
16 | It also shows you the interaction between windows inside the console and will specify the windows using a path you can use yourself to replay the message:
17 |
18 | 
19 |
20 | It also supports tracking communication happening between different windows, using `diffwin` as sender or receiver in the console.
21 |
22 | # Features
23 |
24 | * Supports Raven, New Relic, Rollbar, Bugsnag and jQuery wrappers and "unpacks" them to show you the real listener.
25 |
26 | * Tries to bypass and reroute wrappers so the Devtools console will show the proper listeners:
27 |
28 | **Using New Relic:**
29 |
30 | 
31 |
32 | **After, with postMessage-tracker:**
33 |
34 | 
35 |
36 | **Using jQuery:**
37 |
38 | 
39 |
40 | **After, with postMessage-tracker:**
41 |
42 | 
43 |
44 | * Allows you to set a Log URL inside the extension options to allow you to log all information about each listener to an endpoint by submitting the listener and the function (to be able to look through all listeners later). You can find the options in the Extension Options when right-clicking the extension -> Manage Extension -> Preferences :
45 |
46 | 
47 |
48 | * Supports anonymous functions. Chrome (Unsure about Firefox) does not support to stringify an anonymous function, in the cases of anonymous functions, you will see the `bound`-string as the listener:
49 |
50 | 
51 |
52 |
53 | # Known issues
54 |
55 | ~Since some websites could be served as XML with a XHTML-namespace, it will also attach itself to plain XML-files and will be rendered in the top of the XML. This might confuse you if you look at XML-files in the browser, as the complete injected script is in the DOM of the XML. I haven't found a way to hide it from real XML-files, but still support it for XHTML-namespaces.~ The content script is not added to the DOM if the `document.contentType` is `application/xml` which happens when Chrome renders XML-files.
56 |
57 |
--------------------------------------------------------------------------------
/firefox/background.js:
--------------------------------------------------------------------------------
1 | var tab_listeners = {};
2 | var tab_push = {}, tab_lasturl = {};
3 | var selectedId = -1;
4 |
5 | function refreshCount() {
6 | txt = tab_listeners[selectedId] ? tab_listeners[selectedId].length : 0;
7 | browser.tabs.get(selectedId, function(tab) {
8 | if (!browser.runtime.lastError) {
9 | browser.browserAction.setBadgeText({ "text": '' + txt, tabId: selectedId });
10 | if (txt > 0) {
11 | browser.browserAction.setBadgeBackgroundColor({ color: [255, 0, 0, 255] });
12 | } else {
13 | browser.browserAction.setBadgeBackgroundColor({ color: [0, 0, 255, 0] });
14 | }
15 | }
16 | });
17 | }
18 |
19 | function logListener(data) {
20 | browser.storage.sync.get({
21 | log_url: ''
22 | }, function (items) {
23 | if (items && items.log_url && items.log_url.length) {
24 | log_url = items.log_url;
25 | data = JSON.stringify(data);
26 | try {
27 | fetch(log_url, {
28 | method: 'post',
29 | headers: {
30 | "Content-type": "application/json; charset=UTF-8"
31 | },
32 | body: data
33 | });
34 | } catch (e) { }
35 | }
36 | });
37 | }
38 |
39 | browser.runtime.onMessage.addListener(function (msg, sender, sendResponse) {
40 | console.log('message from cs', msg);
41 | tabId = sender.tab.id;
42 | if (msg.listener) {
43 | if (msg.listener == 'function () { [native code] }') return;
44 | msg.parent_url = sender.tab.url;
45 | if (!tab_listeners[tabId]) tab_listeners[tabId] = [];
46 | tab_listeners[tabId][tab_listeners[tabId].length] = msg;
47 | logListener(msg);
48 | }
49 | if (msg.pushState) {
50 | tab_push[tabId] = true;
51 | }
52 | if (msg.changePage) {
53 | delete tab_lasturl[tabId];
54 | }
55 | if (msg.log) {
56 | console.log(msg.log);
57 | } else {
58 | refreshCount();
59 | }
60 | });
61 |
62 | browser.tabs.onUpdated.addListener(function (tabId, props) {
63 | console.log(props);
64 | if (props.status == "complete") {
65 | if (tabId == selectedId) refreshCount();
66 | } else if (props.status) {
67 | if (tab_push[tabId]) {
68 | //this was a pushState, ignore
69 | delete tab_push[tabId];
70 | } else {
71 | //if(props.url && tab_lasturl[tabId] && props.url.split('#')[0] == tab_lasturl[tabId]) {
72 | //same url as before, only a hash change, ignore
73 | //} else
74 | if (!tab_lasturl[tabId]) {
75 | //wipe on other statuses, but only if lastpage is not set (aka, changePage did not run)
76 | tab_listeners[tabId] = [];
77 | }
78 | }
79 | }
80 | if (props.status == "loading")
81 | tab_lasturl[tabId] = true;
82 | });
83 |
84 | browser.tabs.onActivated.addListener(function (activeInfo) {
85 | selectedId = activeInfo.tabId;
86 | refreshCount();
87 | });
88 |
89 | browser.tabs.query({ active: true, currentWindow: true }, function (tabs) {
90 | selectedId = tabs[0].id;
91 | refreshCount();
92 | });
93 |
94 | browser.runtime.onConnect.addListener(function (port) {
95 | port.onMessage.addListener(function (msg) {
96 | port.postMessage({ listeners: tab_listeners });
97 | });
98 | });
99 |
--------------------------------------------------------------------------------
/firefox/content_script.js:
--------------------------------------------------------------------------------
1 | /*
2 | History is needed to hijack pushState-changes
3 | addEventListener to hijack the message-handlers getting registered
4 | defineSetter to handle old way of setting onmessage
5 | beforeunload to track page changes (since we see no diff btw fragmentchange/pushstate and real location change
6 |
7 | we also look for event.dispatch.apply in the listener, if it exists, we find a earlier stack-row and use that one
8 | also, we look for jQuery-expandos to identify events being added later on by jQuery's dispatcher
9 | */
10 | var injectedJS = function(pushstate, msgeventlistener, msgporteventlistener) {
11 | var loaded = false;
12 | var originalFunctionToString = Function.prototype.toString;
13 | var m = function(detail) {
14 | var storeEvent = new CustomEvent('postMessageTracker', {'detail':detail});
15 | document.dispatchEvent(storeEvent);
16 | };
17 | var h = function(p) {
18 | var hops="";
19 | try {
20 | if(!p) p=window;
21 | if(p.top != p && p.top == window.top) {
22 | var w = p;
23 | while(top != w) {
24 | var x = 0;
25 | for(var i = 0; i < w.parent.frames.length; i++) {
26 | if(w == w.parent.frames[i]) x=i;
27 | };
28 | hops="frames["+x+"]" + (hops.length?'.':'') + hops;
29 | w=w.parent;
30 | };
31 | hops="top"+(hops.length?'.'+hops:'')
32 | } else {
33 | hops=p.top == window.top ? "top" : "diffwin";
34 | }
35 | } catch(e) {
36 |
37 | }
38 | return hops;
39 | };
40 | var jq = function(instance) {
41 | if(!instance || !instance.message || !instance.message.length) return;
42 | var j = 0; while(e = instance.message[j++]) {
43 | listener = e.handler; if(!listener) return;
44 | m({window:window.top==window?'top':window.name,hops:h(),domain:document.domain,stack:'jQuery',listener:listener.toString()});
45 | };
46 | };
47 | var l = function(listener, pattern_before, additional_offset) {
48 | offset = 3 + (additional_offset||0)
49 | try { throw new Error(''); } catch (error) { stack = error.stack || ''; }
50 | stack = stack.split('\n').map(function (line) { return line.trim(); });
51 | fullstack = stack.slice();
52 | if(pattern_before) {
53 | nextitem = false;
54 | stack = stack.filter(function(e){
55 | if(nextitem) { nextitem = false; return true; }
56 | if(e.match(pattern_before))
57 | nextitem = true;
58 | return false;
59 | });
60 | stack = stack[0];
61 | } else {
62 | stack = stack[offset];
63 | }
64 | listener_str = listener.__postmessagetrackername__ || listener.toString();
65 | m({window:window.top==window?'top':window.name,hops:h(),domain:document.domain,stack:stack,fullstack:fullstack,listener:listener_str});
66 | };
67 | var jqc = function(key) {
68 | m({log:['Found key', key, typeof window[key], window[key] ? window[key].toString(): window[key]]});
69 | if(typeof window[key] == 'function' && typeof window[key]._data == 'function') {
70 | m({log:['found jq function', window[key].toString()]});
71 | ev = window[key]._data(window, 'events');
72 | jq(ev);
73 | } else if(window[key] && (expando = window[key].expando)) {
74 | m({log:['Use expando', expando]});
75 | var i=1; while(instance = window[expando + i++]) {
76 | jq(instance.events);
77 | }
78 | } else if(window[key]) {
79 | m({log:['Use events directly', window[key].toString()]});
80 | jq(window[key].events);
81 | }
82 | };
83 | var j = function() {
84 | m({log:'Run jquery fetcher'});
85 | var all = Object.getOwnPropertyNames(window);
86 | var len = all.length;
87 | for(var i = 0; i < len; i++) {
88 | var key = all[i];
89 | if(key.indexOf('jQuery') !== -1) {
90 | jqc(key);
91 | }
92 | }
93 | loaded = true;
94 | };
95 | History.prototype.pushState = function(state, title, url) {
96 | m({pushState:true});
97 | return pushstate.apply(this, arguments);
98 | };
99 | var original_setter = window.__lookupSetter__('onmessage');
100 | window.__defineSetter__('onmessage', function(listener) {
101 | if(listener) {
102 | l(listener.toString());
103 | }
104 | original_setter(listener);
105 | });
106 | var c = function(listener) {
107 | var listener_str = originalFunctionToString.apply(listener)
108 | if(listener_str.match(/\.deep.*apply.*captureException/s)) return 'raven';
109 | else if(listener_str.match(/arguments.*(start|typeof).*err.*finally.*end/s) && listener["nr@original"] && typeof listener["nr@original"] == "function") return 'newrelic';
110 | else if(listener_str.match(/rollbarContext.*rollbarWrappedError/s) && listener._isWrap &&
111 | (typeof listener._wrapped == "function" || typeof listener._rollbar_wrapped == "function")) return 'rollbar';
112 | else if(listener_str.match(/autoNotify.*(unhandledException|notifyException)/s) && typeof listener.bugsnag == "function") return 'bugsnag';
113 | else if(listener_str.match(/call.*arguments.*typeof.*apply/s) && typeof listener.__sentry_original__ == "function") return 'sentry';
114 | else if(listener_str.match(/function.*function.*\.apply.*arguments/s) && typeof listener.__trace__ == "function") return 'bugsnag2';
115 | return false;
116 | }
117 |
118 | var onmsgport = function(e){
119 | var p = (e.ports.length?'%cport'+e.ports.length+'%c ':'');
120 | var msg = '%cport%c→%c' + h(e.source) + '%c ' + p + (typeof e.data == 'string'?e.data:'j '+JSON.stringify(e.data));
121 | if (p.length) {
122 | console.log(msg, "color: blue", '', "color: red", '', "color: blue", '');
123 | } else {
124 | console.log(msg, "color: blue", '', "color: red", '');
125 | }
126 | };
127 | var onmsg = function(e){
128 | var p = (e.ports.length?'%cport'+e.ports.length+'%c ':'');
129 | var msg = '%c' + h(e.source) + '%c→%c' + h() + '%c ' + p + (typeof e.data == 'string'?e.data:'j '+JSON.stringify(e.data));
130 | if (p.length) {
131 | console.log(msg, "color: red", '', "color: green", '', "color: blue", '');
132 | } else {
133 | console.log(msg, "color: red", '', "color: green", '');
134 | }
135 | };
136 | window.addEventListener('message', onmsg)
137 | MessagePort.prototype.addEventListener = function(type, listener, useCapture) {
138 | if (!this.__postmessagetrackername__) {
139 | this.__postmessagetrackername__ = true;
140 | this.addEventListener('message', onmsgport);
141 | }
142 | return msgporteventlistener.apply(this, arguments);
143 | }
144 |
145 | Window.prototype.addEventListener = function(type, listener, useCapture) {
146 | if(type=='message') {
147 | var pattern_before = false, offset = 0;
148 | if(listener.toString().indexOf('event.dispatch.apply') !== -1) {
149 | m({log:'We got a jquery dispatcher'});
150 | pattern_before = /init\.on|init\..*on\]/;
151 | if(loaded) { setTimeout(j, 100); }
152 | }
153 | //console.log('yo')
154 | //debugger;
155 | var unwrap = function(listener) {
156 | found = c(listener);
157 | //console.log('found', found)
158 | if(found == 'raven') {
159 | var fb = false, ff = false, v = null;
160 | for(key in listener) {
161 | var v = listener[key];
162 | if(typeof v == "function") { ff++; f = v; }
163 | if(typeof v == "boolean") fb++;
164 | }
165 | if(ff == 1 && fb == 1) {
166 | m({log:'We got a raven wrapper'});
167 | offset++;
168 | listener = unwrap(f);
169 | }
170 | } else if(found == 'newrelic') {
171 | m({log:'We got a newrelic wrapper'});
172 | offset++;
173 | listener = unwrap(listener["nr@original"]);
174 | } else if(found == 'sentry') {
175 | m({log:'We got a sentry wrapper'});
176 | offset++;
177 | listener = unwrap(listener["__sentry_original__"]);
178 | } else if(found == 'rollbar') {
179 | m({log:'We got a rollbar wrapper'});
180 | offset+=2;
181 | } else if(found == 'bugsnag') {
182 | offset++;
183 | var clr = null;
184 | try { clr = arguments.callee.caller.caller.caller } catch(e) { }
185 | if(clr && !c(clr)) { //dont care if its other wrappers
186 | m({log:'We got a bugsnag wrapper'});
187 | listener.__postmessagetrackername__ = clr.toString();
188 | } else if(clr) { offset++ }
189 | } else if(found == 'bugsnag2') {
190 | offset++;
191 | var clr = null;
192 | try { clr = arguments.callee.caller.caller.arguments[1]; } catch(e) { }
193 | if(clr && !c(clr)) { //dont care if its other wrappers
194 | listener = unwrap(clr);
195 | m({log:'We got a bugsnag2 wrapper'});
196 | listener.__postmessagetrackername__ = clr.toString();
197 | } else if(clr) { offset++; }
198 | }
199 | if(listener.name.indexOf('bound ') === 0) {
200 | listener.__postmessagetrackername__ = listener.name;
201 | }
202 | return listener;
203 | };
204 |
205 | if(typeof listener == "function") {
206 | listener = unwrap(listener);
207 | l(listener, pattern_before, offset);
208 | }
209 | }
210 | return msgeventlistener.apply(this, arguments);
211 | };
212 | window.addEventListener('load', j);
213 | window.addEventListener('postMessageTrackerUpdate', j);
214 | };
215 | injectedJS = '(' + injectedJS.toString() + ')'+
216 | '(History.prototype.pushState, Window.prototype.addEventListener, MessagePort.prototype.addEventListener)';
217 |
218 | document.addEventListener('postMessageTracker', function(event) {
219 | browser.runtime.sendMessage(event.detail);
220 | });
221 |
222 | //we use this to separate fragment changes with location changes
223 | window.addEventListener('beforeunload', function(event) {
224 | var storeEvent = new CustomEvent('postMessageTracker', {'detail':{changePage:true}});
225 | document.dispatchEvent(storeEvent);
226 | });
227 |
228 | (function() {
229 | switch(document.contentType) {
230 | case 'application/xml':
231 | return;
232 | }
233 | var script = document.createElement("script");
234 | script.setAttribute('type', 'text/javascript')
235 | script.appendChild(document.createTextNode(injectedJS));
236 | document.documentElement.appendChild(script);
237 | })();
238 |
--------------------------------------------------------------------------------
/firefox/icons/logo-200x200.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ACK-J/postMessage-tracker-firefox/5576e06efabf9638ddc5710537794059a22dde24/firefox/icons/logo-200x200.png
--------------------------------------------------------------------------------
/firefox/icons/logo-48.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ACK-J/postMessage-tracker-firefox/5576e06efabf9638ddc5710537794059a22dde24/firefox/icons/logo-48.png
--------------------------------------------------------------------------------
/firefox/icons/logo-96.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ACK-J/postMessage-tracker-firefox/5576e06efabf9638ddc5710537794059a22dde24/firefox/icons/logo-96.png
--------------------------------------------------------------------------------
/firefox/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "manifest_version": 2,
3 | "name": "postMessage-tracker",
4 | "description": "Monitors and indicates postMessage-listeners in the current window.",
5 | "icons": {
6 | "48": "icons/logo-48.png",
7 | "96": "icons/logo-96.png"
8 | },
9 | "version": "1.1.1",
10 | "background": {
11 | "scripts": [
12 | "background.js"
13 | ]
14 | },
15 | "content_scripts": [
16 | {
17 | "matches": [
18 | ""
19 | ],
20 | "js": [
21 | "content_script.js"
22 | ],
23 | "run_at": "document_start",
24 | "all_frames": true
25 | }
26 | ],
27 | "options_ui": {
28 | "page": "options.html",
29 | "browser_style": true
30 | },
31 | "browser_action": {
32 | "default_popup": "popup.html"
33 | },
34 | "browser_specific_settings": {
35 | "gecko": {
36 | "id": "{0603add6-5628-4648-b2fb-634addb65ebd}"
37 | }
38 | },
39 | "permissions": [
40 | "tabs",
41 | "storage",
42 | ""
43 | ]
44 | }
45 |
--------------------------------------------------------------------------------
/firefox/options.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | Log-URL:
8 |
9 |
10 |
11 |