A tool for testing the security of apps that leverage postMessage()

Try it now: postinator.jaytonbirch.com

A web client is vulnerable to poisonous messaging when it:

• reflects user-defined iframes
• listens for messages without source-checking

Check out the mdn docs regarding security concerns with postMessage()

message-postinator can be used to build webpages that post messages that you define to the frame's parent. You can then test web apps that reflect user-defined iframes by using the message blaster that you created.

You can test your Blasters in the playground