DigiNinja avatar

DigiNinja's HTML5 postMessage Lab

See the following blog posts by Frans Rosén about why you should pay attention to postMessage:

For more information on this lab, and the rest of my work, see my site.


This area lets you play with the different aspects of postMessage, you can send messages in different ways and also play with the receiver to see how that affects things.

Go to the demo

Challenge 1

Play a game of guess the number while looking for vulnerabilities in the game server. The developers did not do a good job so there is more than one to find.

Note: For this challenge to work, you must allow pop-ups for this domain in your browser.

Play the game

Challenge 2

In this lab, the parent page loads a login form in an iframe. Once a user has logged in through this form, the child window sends the session token back to the parent using a postMessage call.

The challenge is to create a scenario where you can steal the session token as the user logs in.

Steal the token

Challenge 3

This lab demonstrates postMessage being used to send log messages to a central log server.

Your mission is to find a way to use postMessage to inject fake messages into the log.

Fake the log

Lab created by Robin Wood - DigiNinja