Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

Assembly

F#

Java

PHP

Shell

CSS

Python

Nix

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Nix

C

Dart

Scala

Clojure

Groovy

Jupyter Notebook

Objective-C

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇹🇴 Tonga

🇰🇵 North Korea

🇸🇷 Suriname

🇧🇪 Belgium

🇭🇷 Croatia

🇳🇱 Netherlands

🇵🇦 Panama

🇲🇿 Mozambique

All Countries Compare Countries

fransr/postMessage-tracker

Stars
1,006
Rank 45,677 (Top 0.9 %)
Language
JavaScript
License
MIT License
Created over 7 years ago
Updated 10 months ago

fransr/postMessage-tracker

fransr

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon

postMessage-tracker

Made by Frans Rosén. Presented during the "Attacking modern web technologies"-talk (Slides) at OWASP AppSec Europe back in 2018, but finally released in May 2020.

This Chrome extension monitors postMessage-listeners by showing you an indicator about the amount of listeners in the current window.

It supports tracking listeners in all subframes of the window. It also keeps track of short-lived listeners and listeners enabled upon interactions. You can also log the listener functions and locations to look them through them at a later stage by using the Log URL-option in the extension. This enables you to find hidden listeners that are only enabled for a short time inside an iframe.

It also shows you the interaction between windows inside the console and will specify the windows using a path you can use yourself to replay the message:

It also supports tracking communication happening between different windows, using diffwin as sender or receiver in the console.

Features

Supports Raven, New Relic, Rollbar, Bugsnag and jQuery wrappers and "unpacks" them to show you the real listener.
Tries to bypass and reroute wrappers so the Devtools console will show the proper listeners:

Using New Relic:

After, with postMessage-tracker:

Using jQuery:

After, with postMessage-tracker:

Allows you to set a Log URL inside the extension options to allow you to log all information about each listener to an endpoint by submitting the listener and the function (to be able to look through all listeners later). You can find the options in the Extension Options when clicking the extension in chrome://extensions-page:

Supports anonymous functions. Chrome does not support to stringify an anonymous function, in the cases of anonymous functions, you will see the bound-string as the listener:

Known issues

Since some websites could be served as XML with a XHTML-namespace, it will also attach itself to plain XML-files and will be rendered in the top of the XML. This might confuse you if you look at XML-files in the browser, as the complete injected script is in the DOM of the XML. I haven't found a way to hide it from real XML-files, but still support it for XHTML-namespaces.

bountyplz

Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)

template-generator

A simple variable based template editor using handlebarjs+strapdownjs. The idea is to use variables in markdown based files to easily replace the variables with content. Data is saved temporarily in local storage. PHP is only needed to generate the list of files in the dropdown of templates.

unpack-burp

For unpacking base64:ed "Save items"-content from Burp (From search + proxy history)

bountytpl

bountytpl – template generator cli. By using a template similar to the ones for Template Generator (https://github.com/fransr/template-generator) you can combine it with a JSON to produce a proper report.

hot-jar-swapping-urlclassloader

Demo of the URLClassLoader JAR-swapping showing the ability to replace and exploit an already loaded JAR with inner classes

detectify-cli

Detectify API v2 CLI using bash

WSDL-Viewer-for-PHP

Used to get a visible overview of a WSDL service. The class will also show a test request/response built up according to the spec.

epl2html-render

Will render an EPL in simple HTML. good for creating EPLs

posten-mypack-label-pdf

Generating a MyPack-label PDF using TCPDF

test111

Time-Register

AIR application doing time reporting using Google Calendar API

YS-Filter

Fast javascript filter that collects information about products and creates a filtering options out of them.

li-shortblock

Chrome Extension that adds a shortcut on linkedin to block users from the feed-view

heroku-buildpack-letsencrypt

.well-known

test123

heroku-buildpack-s3