In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

HTML5 security - Cross domain messaging

HTML5 security - Cross domain messaging

by Adrian Ababei on Jun 29 2016

HTML5 is a technology for the next generation web applications and has come with a lot of new features to the web. In the mobile app world HTML5 applications are widely used. Besides a lot of features, HTML5 has brought to the table various attack vectors. Before talking about security concepts of cross domaing messaging, we need to understand the basics of the HTML implementation of cross domaing messaging.

Cross domain messaging

Because of the same origin policy restrictions before HTML5, sending messages between Windows was only possible if both Windows used the same protocol, port, and host. With the introduction of HTML5, all those restrictions are gone and we can now pass messages across domains without having to worry about Same Origin Policy restrictions. HTML5 has a new method called postMessage(). Using this, we can pass messages between windows regardless of their origin. Below is the syntax of postMessage().

Sending window

otherWindow.postMessage(message, targetOrigin, [transfer]); ‘otherWindow’ is a reference to another window. ‘Message’ is the message to be passed to the receiving window. ‘targetOrigin’ refers tothe URL of the receiving window. If we don’t have any specific preference, we can specify it as “*”. Specifying “*” as ‘targetOrigin’ has some security implications we will discuss in later sections of this article. ‘Transfer’ is optional.

Receiving window

When otherWindow.postMessage() is executed, a messageEvent will be dispatched at the receiver window. We can receive the message dispatched by the sender using the following code snippet. window.addEventListener("message",receiveMessage, false); function receiveMessage(event){ if (event.origin !== "https://goo.gl/Brmfny") return; // ... } From the above code snippet, we can access the data and origin of this message as shown below. ‘event.origin’ gives the origin of the message (the URI from which we are receiving this message). ‘event.data’ gives the actual message being sent. Now, we have got some basic knowledge of what cross domain messaging in HTML5 is and how it is implemented in the applications. Let us now see the security implications of cross domain messaging. For demonstration purposes, we have set up the following lab. A: https://goo.gl/SN1Ow B: https://goo.gl/MTtd As we can see, we have two different ports on the above two URLs. The first URL is running on port 8387 and the second URL is on the default port 80. So, it is obvious that they have two different origins, since the port numbers are different. In our lab setup, A is the message sender and B is the receiving window. We are going to load the second URL https://goo.gl/MTtd as an iframe in the first URL. I can send messages from the domain https://goo.gl/SN1Ow to the domain https://goo.gl/MTtd using the postMessage method. We can check it by clicking the “Send Message” button as shown below. The iframe which is loaded into the first URL is from a different origin, but we are able to send a message to it using HTML5’s postMessage() method. Now, let us look at some scenarios where this postMessage() implementation can introduce vulnerabilities into our applications.

Case one

Code at sender:

receiver.postMessage('Hi There..!', '*');< When the sender has the above code where he specifies the target origin with a wildcard “*”, an unintended recipient (window) can receive this message from the sender. Since the receiving window is listening for incoming messages, anyone can load it into an iframe and can listen for the messages coming to it. So, it is a bad idea to give a wildcard when passing sensitive data to the receiving windows.

How to fix this:

It is possible to fix this just by adding the specific target in the target field. So, in this case https://goo.gl/MTtd is the only origin that can receive this message. This is as shown below. receiver.postMessage('Hi There..!', ' two

Code at receiving window:

function receiveMessage(e) { do something..! } In the above code, we are receiving the message from the sender and directly processing it without checking who sent this message. It is always important to check the origin of the message to prevent receiving messages from unauthorised senders.

How to fix this:

function receiveMessage(e) { if (e.origin !== "") return; do something..! } Always validate the origin from which you want to receive the messages. In our case, we want to receive messages only from . So, we are making a simple check to see if the message is coming from using the property event.origin. If this is not matching, we won’t receive the message.

Case three

The next attack vector is the infamous cross site scripting. Both the sender as well as receiver should always validate the messages being passed. If the data is inserted into HTML DOM without proper validation, then the application becomes vulnerable to DOM based cross site scripting. The following code snippet shows how an application may become vulnerable when a malicious message is received from the attacker and it is inserted into the receiver’s HTML DOM using innerHTML property.

Sender

receiver.postMessage("< img src='x' onerror=alert(1); >", ' receiveMessage(e) { if (e.origin !== "") return; messageEle.innerHTML = "Message from localhost:8387: " + e.data; } When the above code is executed, it causes an XSS in the receiving window as shown in the figure below.

How to fix this:

The easiest way to fix this issue is to assign the data value to an element using textContent rather than using innerHTML. This is done as shown below.

Sender:

receiver.postMessage("< img src='x' onerror=alert(1); >", ' receiveMessage(e) { if ( e.origin !== "") return; element.textContent = " Message from localhost:8387: " + e.data; } When the above code is executed, we should see the text displayed in the receiving frame as “data” rather than code.

Source: http://www.developer-tech.com

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

Drupal Commerce vs. Magento - Who Wins the Battle for eCommerce?
  In 2021, it is expected that about 27.2% of the world population will shop online at least once.  A lot of potential customers out there, right? As eCommerce is becoming the new norm, digital businesses seek out ways to thrive in this competitive landscape and position themselves as leading trend-setters.  To do that, companies need to realize the power of digital transformation and how they can embrace it in order to support the modern demands of speed and accessibility that customers require today.  This starts with leveraging the right tools for building robust digital assets. One of these tools is represented by eCommerce platforms, which are getting increasingly popular for businesses that seek to deploy an eCommerce system.  Drupal Commerce and Magento are two of the leading eCommerce solutions on the market and are often seen as direct competitors in the industry.  This article provides a side-by-side comparison of these two platforms in regards to technical capabilities, development, costs, scalability, security, and mobile responsiveness. Hopefully, this information will help you narrow down your choice in order to ensure that you choose the best fit for your business needs.    Key eCommerce Capabilities Enabled by Drupal and Magento Drupal Commerce was released in 2011 and offers an open-source application framework that supports retailers in building and managing inventory, track orders, or handle payments.  Magento's initial release was in 2008. This PHP-based eCommerce site provides high levels of PayPal protocol integration and supports 12 worldwide payment gateways.  Both platforms offer, through native features or third-party add-ons, the following benefits: Intuitive, easy-to-use user interface and control panels. No technical knowledge is required to customize and edit basic features. Full-featured CMS that supports social sharing. Business-centric structure for online stores. Native integration of inventory-driven advertising material Integration capabilities with third-party analytics, invoicing, or quoting solutions One thing to keep in mind is that neither of these eCommerce platforms is a "plug and play" solution and making the most out of their potential may require further expertise.    Headless eCommerce The headless version of Drupal Commerce has been in the spotlight in the last few years. This new initiative is an eCommerce solution that stores and delivers content without a front-end delivery layer. It's an API-driven implementation that transforms eCommerce functionality, making it available across a wide range of potential host environments.  A headless eCommerce model inclines towards a more SaaS-oriented, platform-agnostic solution that allows for better employee adoption and considerable time savings across IT departments.  When it comes to Magento, the open-source eCommerce platform, headless eCommerce is equally prioritized. Both Drupal Commerce and Magento are supporting headless models as the future of eCommerce.    Pricing Drupal eCommerce's technical cost of entry is free. However, depending on scope and scale, the costs of developing and maintaining performant and secure eCommerce servers might reach tens of thousands of dollars.  Drupal Commerce project costs are directly proportional with a business needs for specific development architecture, module integrations, custom theme styling, or particular feature integrations.  Magento's newer modules are not offered as open-source and upgrading from Magento Open Source to Magento Commerce might be challenging.  From this financial point of view, Drupal Commerce seems to be a clear winner.    Scalability Drupal Commerce has relevant capabilities of staying highly performant at scale. However, this CMS platform does not provide out-of-the-box database sharding and it can only be implemented on a third-party basis.  Drupal Commerce has lower requirements than Magento Commerce when it comes to the web server—the minimum required RAM for PHP is 64 MB and production systems usually require 128 or 256 MB.  Drupal Commerce-based implementation splits the eCommerce experience across three related Drupal domains. As a result, scaling is better, bottlenecks are eliminated, and the content and purchasing experiences are efficiently separated.  On the other hand, Magento's cloud hosting solves a large number of scalability issues, although at a higher price. The minimum RAM requirement of 2 GB will probably not scale well and distributed networks or caching may need to be deployed with greater care to keep up with the heavy load.    Security Drupal is proven to be the most secure CMS and Magento's infection rate is much higher than Drupal's. From the point of view of security, Drupal Commerce is a winner for businesses that want to prioritize secure platforms.  Source: Sucuri.net   Mobile Responsiveness As most websites transition to a mobile-first approach, eCommerce platforms that prioritize mobile responsiveness are a must.  Fortunately, both Magento Commerce and Drupal Commerce provide robust mobile capabilities to satisfy the need for accessibility and performance.  Drupal Commerce's themes allow building a fully responsive design for eCommerce websites and offer screen flexibility for creating versatile experiences. The most popular themes like Corolla or eStore provide: Multi-level responsive header menus Custom layouts and color options Box shadow and background textures Custom field additions Magento Commerce is close to Drupal when it comes to mobile optimization capabilities. Its responsive web design features help users create optimal viewing experiences for multiple devices. Magento Blank or Luma are out-of-the-box themes that deliver a fully responsive design.   Who's the winner for eCommerce? While both Drupal Commerce and Magento Commerce are reliable options for a digital company that wants to thrive in the eCommerce market, every business has its own unique needs and requirements. Choosing the software that best supports these needs is a process that involves a lot of research and planning.  If you want to speed up this process and ensure that you reach the right decision, don't hesitate to contact Optasy for professional advice and support.  Discover which platform is most suited to provide a robust eCommerce experience for you and your customers.  Photo credit: Mark Konig on Unsplash.   ... Read more
Raluca Olariu / Apr 06'2021
Drupal DevOps Best Practices for 2021
  Today, businesses interact with their customers in many forms of digital services on all kinds of devices. As the digital world is more and more present in our lives, delivering streamlined experiences at the tip of your customers' fingers is the key to success.  A vital role in delivering rapid, accessible IT services is played by DevOps, a set of practices that brings software development and IT operations together. And when it comes to Drupal web development, DevOps represents a valuable instrument that can maximize the potential of Drupal-delivered projects.    How does DevOps work and what benefits does a DevOps model deliver? DevOps, the culture that encompasses most digital businesses today, uses automation and advanced tech stacks to add a new layer of velocity to a company's infrastructure. “DevOps represents a change in IT culture, focusing on rapid IT service delivery through the adoption of agile, lean practices in the context of a system-oriented approach. DevOps emphasizes people (and culture) and seeks to improve collaboration between operations and development teams. DevOps implementations utilize technology — especially automation tools that can leverage an increasingly programmable and dynamic infrastructure from a life cycle perspective”. - Gartner, Inc. Businesses that incorporate a DevOps model into their workflows see benefits like:   Scalability. Fundamental processes like infrastructure and development are operated at scale, which allows for a more efficient approach to developing, testing, and producing environments in a repeatable and streamlined way. Faster and more reliable delivery. The modern customer's need for speed is real, and DevOps can support organizations in their quest to speeding up feature releases, bug fixes, and other types of upgrades. Continuous integration and delivery are two critical practices that can automate the release process. High velocity. Adopting an efficient DevOps model allows professionals to build digital innovations faster and keep up with the trends imposed by ever-changing markets. Security. When adopting DevOps, you don't have to compromise on safety as DevOps models provide automated compliance policies and configuration management mechanisms.   DevOps best practices To make the most out of DevOps, there are some key practices to follow when implementing your model:   Leverage microservices architecture, which allows breaking down large systems into more specific, independent projects. As a result, developers and architects have more flexibility over managing these projects, and applications are more pliable and allow faster innovation. Install minor updates on a regular basis to solve issues and fix bugs quicker. The DevOps model aids companies in deploying updates more often and constantly optimizing their ongoing processes. Use continuous integration and continuous delivery to overcome operational challenges in complex development workflows.  Don't forget about infrastructure as a code, as automating your infrastructure provides better computing resources and higher responsiveness to possible alterations.    DevOps for Drupal development Implementing a DevOps model into your Drupal development workflow will not only accelerate your development cycle and delivery but will also contribute to better user experiences and business outcomes.  As more companies are adopting DevOps models (according to a recent report, 60% of businesses are using or are considering DevOps for their organization), it is expected that DevOps will gradually become even more essential for any digital business. With this growth will come better opportunities for building future-ready Drupal deployments and web experiences suited for the modern customer’s complex needs.    Wrapping Up DevOps continues to grow in new industries, opening possibilities for enhancing security, product monitoring, development, and cluster computing. As it will become the new norm, DevOps will continue to integrate more departments, improve solutions and designs.  As we've seen, DevOps models can also support a Drupal development team that focuses on improving project timelines and delivery. Optasy is the right partner for fostering digital innovation and can help you create customized Drupal digital experiences.  What do you need support with?  Photo credit: PCB-Tech on Pixabay.   ... Read more
Raluca Olariu / Apr 02'2021
8 Must-Have WordPress Plugins for Better UX
  Modern WordPress web development screams: plugins plugins plugins! How do you respond? Which are the best plugins that can provide better user experiences (UX) to support your website's success? How can you choose wisely when there are hundreds of them available on the market? You're in luck! This article highlights seven UX-enriching plugins that must be part of your WordPress arsenal. But first, what are these plugins, and how can they benefit your website? WordPress plugins or extensions are a great way to customize and personalize your website to improve your SEO and UX capabilities. Plugins extend existing website functionality and enhance your site's performance. You can opt-in for minor tweaks, or you can go the extra mile and perform massive changes to your website with the use of various extensions.    8 Top WordPress plugins that deliver streamlined user experiences   1. Backup Buddy Backup is not an option if you're looking to succeed in properly managing your website—it's a necessity. Backup Buddy works as a classic backup, and it allows users to store data from multiple WordPress sites.  This plugin is known for being safe, quick, and reliable, which ensures user satisfaction. BackBuddy comes at affordable rates and can be upgraded according to the needs of each business.     Source    2. KeyCDN Another WordPress extension that works in your visitors’ favor is KeyCDN, a winner when it comes to WordPress plugins that speed up your website's loading time. This plugin helps your site perform better without compromising on ease of use or simplicity.  In the modern era, digital consumers are used to fast, streamlined experiences and don't settle for less than this standard. That's why supercharging your website with a speed-enhancing extension will add value to your brand and meet your users' need for speed.  Source     3. WPForms WPForms is the best WordPress contact form plugin. The features that make this extension a user-friendly and powerful WordPress form builder are:   Pre-built form templates that save time Mobile-friendly and responsive on tablets, desktop Drag &amp; drop form builder without writing code Easily collect payments and online orders Spam protection Easy to embed in other pages like blog posts This plugin lets you build online forms faster, and it is a must for any site that puts the user at the center of the business.   Source   4. Yoast SEO Since 68% of online experiences begin with a search engine, you want to take SEO seriously. The most popular WordPress SEO plugin is Yoast SEO. You can use it for on-site optimization and for enhancing your online presence. This extension allows you to change a page's meta description, add additional information on your content, and optimize for high-performing keywords. In this digital marketing era, SEO-friendly websites perform better, attract more visitors, and boost engagement—install your WordPress SEO plugin now and improve your online posture.   Source   5. WPtouch Speaking of trends, mobile usage is gaining traction, and businesses need to adapt to this new reality. More precisely, by 2021, the number of worldwide smartphone users is expected to reach 3.8 billion. In this context, mobile optimization is a requirement for any brand that wants to build long-lasting business relationships. A WordPress plugin that can make your site mobile-friendly is WPtouch. This popular mobile solution provides a simple and elegant way of optimizing WordPress sites for mobile. It enables a mobile-friendly version of your website that passes the Google Mobile test and ensures your SEO rankings do not drop due to not having a mobile-friendly website.    Source   6. MonsterInsights Many consider this to be the most powerful and user-friendly WordPress analytics plugin in the market. It connects with Google Analytics and supports reliable and efficient website traffic monitoring. MosterInsights can tell you where your users come from, how much time they've spent on your site, or which pages are they most interested in. Measuring different user experiences metrics and working on enabling better ways to keep your visitors happy is an essential element that helps you grow your business. Among the top features are: Google Analytics dashboard Real-time stats Universal tracking across devices and campaigns GDPR friendly Improved eCommerce tracking Google Optimize for A/B testing   Source   7. Defender Cybercrime has risen by 600% in the last year due to the worldwide pandemic. If your security efforts were prioritized until now, that's good. However, with cybersecurity now being constantly threatened, your site's protection should be at the top of the list.  A reliable WordPress plugin that supports and improves your security posture. In just a few clicks, you get closer to stopping brute force attacks, cross-site scripting XSS, SQL injections, and other WordPress vulnerabilities and hacks.  Defender protects your website with the following features: Two-factor authentication  Login lockout WordPress security firewall Geolocation IP lockout 404 detection Login masking Source   8. userTrack One of the most efficient ways to understand your users' needs is by analyzing their behavior. The userTrack plugin is the right solution for that.  By installing it, you can view click heatmaps, mouse interactions on your website, or even complete recordings of user activity on your site. userTrack provides a wide range of useful statistics that help you build your user's persona and profile to deliver better experiences for your audience.    Source   You've made it! You now have a better perspective of which plugin might benefit your website the most, and you can start optimizing your content and strategies to match your visitors’ needs.  Remember, in the era of digital businesses, the winning approach is user-centric. That's why working to deliver better website experiences for your users is so important. Fortunately, plugins and extensions can make the job of optimizing and managing websites much more accessible.  The same can be said about Optasy, a reliable partner in building and maintaining a robust online presence. From web development and digital strategies to design and maintenance, Optasy is here to add digital value to your business.    Photo credit: Markus Winkler on Unsplash.          ... Read more
Raluca Olariu / Mar 31'2021