Post Apocalypse is a tool for researching postMessage communication, it allows you to track, explore and exploit postMessages vulnerabilities, with many abilities, like replay messages sent between windows of any attached browser.
Node required to be pre installed
git clone https://github.com/gourarie/post-apocalypse.git
cd post-apocalypse
npm install
- Make sure posta server is up and running (via
node posta.js
) - Use one of the proxy-helpers to inject agent.js
- Make sure your browser is passing through the proxy and agent.js found in responses
head
tag - Browse to http://localhost:28010/ and hack
Post Apocalypse needs 2 basic features to be implemented:
- agent.js to be injected on each HTML response head tag (easily done via proxy-helpers)
- posta.js server to be up and running
The agent.js hooks and wraps postMessages' receievers in order to intercept postMessages by overwrite all event listeners related to messages handling, each postMessage received by the window managed by agent.js, will be sent to posta.js server, which allows you to view all postMessages on the post-apocalypse UI in order to allow you perform your research easily.
Chen Gour Arie
Barak Tawily
Omer Yaron