FrogPost: postMessage Security Testing Tool

FrogPost is a Chrome extension for security testing of postMessage communications between iframes. It combines static analysis, dynamic testing, and optional AI assistance to identify vulnerabilities in message-handling implementations.

Current Version: FrogPost v3.0.3 🔥

Preview

<p align="center" width="100%"> <img width="80%" src="FrogPost_final.gif"> </p>

---

⚠️ Security Disclaimer

Use FrogPost ethically and legally — only test applications you own or have permission to assess.

---

🚀 Quick Start

Step 1: Load Extension

1. Go to chrome://extensions/ in Chrome
2. Enable Developer mode (top-right toggle)
3. Click Load unpacked and select the FrogPost folder
4. Copy the Extension ID from the extensions page

Step 2: Setup Server

bash setup.sh

This installs dependencies and sets up the local server for AI features

Step 3: Start Using

1. Visit any website with iframes
2. Click the FrogPost extension icon
3. Click Analyze Handler to detect vulnerabilities
4. Click Launch Fuzzer to test with payloads
5. Optional: Enable Auto Pilot for continuous automated scanning
6. Optional: Use Upload URL List for bulk endpoint testing

Step 4: Enable AI Features (Optional)

1. Click extension icon → Options
2. Add your API key (OpenAI, Anthropic, or Google Gemini)
3. Start server: bash setup.sh start
4. Use "Analyze with LLM" for AI-powered insights

---

🎯 Core Features

• Live Monitoring: Captures postMessage traffic between iframes in real-time
• Handler Analysis: Detects and analyzes message handlers for vulnerabilities using runtime interception
• Zombie Handler Detection: Identifies registered handlers that haven't received messages yet (potential attack surface)
• Payload Testing: Launches crafted payloads to test security
• Auto Pilot Mode: Automatically scans new endpoints as they appear, testing them without manual intervention
• URL List Upload: Bulk import and scan multiple URLs from a text file for automated testing
• AI Enhancement: Optional LLM-powered analysis (requires server)
• Message Truncation: Large messages are automatically truncated for performance, with "Show Full" option to view complete data

What FrogPost Detects

• Missing origin validation in message handlers
• Unsafe DOM sinks (innerHTML, eval, etc.)
• Prototype pollution vulnerabilities
• XSS injection points in postMessage handlers
• Security misconfigurations in iframe communication

Auto Pilot Mode

Enable automated scanning for continuous monitoring:

1. Click the Auto Pilot toggle in the dashboard
2. FrogPost will automatically detect and scan new endpoints as they appear
3. Each endpoint is tested once with full handler analysis and fuzzing
4. Results are displayed in real-time without manual interaction

Use Cases:

• Continuous monitoring during application navigation
• Automated testing of dynamic iframe loading
• Hands-free security assessment of complex applications

URL List Upload

Bulk test multiple endpoints efficiently:

1. Prepare a text file with one URL per line
2. Click "Upload URL List" in the dashboard
3. Select your file and let FrogPost process all URLs
4. All endpoints are opened, analyzed, and tested automatically

Features:

• Batch processing of hundreds of URLs
• Automatic tab management and cleanup
• Parallel endpoint scanning
• Results aggregation in the main dashboard

---

🖥️ Server Management

# Start server
bash setup.sh start

# Check status
bash setup.sh status

# Stop server
bash setup.sh stop

Note: Basic features work without the server, but AI analysis requires it to be running.

---

🤖 AI Features (Optional)

Supported Providers

| Provider | Models | |----------|--------| | OpenAI | gpt-4o, gpt-4o-mini, o3, o3-mini, o1, o1-mini | | Anthropic | claude-opus-4-20250514, claude-sonnet-4-20250514, claude-3-5-sonnet-20241022, claude-3-5-haiku-20241022 | | Google Gemini | gemini-2.5-pro-preview-06-05, gemini-2.5-flash-preview-05-20, gemini-2.0-flash, gemini-1.5-pro, gemini-1.5-flash |

Setup AI Features

1. Configure API Keys: Click extension icon → Options
2. Add your keys: Choose any supported provider above
3. Start server: bash setup.sh start
4. Use AI analysis: Click "Analyze with LLM" in the dashboard

What AI Analysis Provides

• Handler Quality Score: 0-100 accuracy rating
• Security Assessment: Detailed vulnerability analysis
• Custom Payloads: AI-generated payloads for detected sinks
• Risk Recommendations: Specific security improvements
• Unified Analysis: Combined handler and message pattern analysis

---

🔧 Advanced Features

Truncated Message Handling

Large postMessage payloads are automatically truncated for performance:

• Messages exceeding 50 keys, 50 array items, or 8 levels of nesting are truncated
• Truncated messages show a ✂️ Truncated badge in the dashboard
• Click "📋 Show Full" button to request and display the complete message data

Zombie Handler Detection

FrogPost identifies "zombie" handlers - message listeners that are registered but haven't received any messages:

• Zombie endpoints are marked with 🧟 emoji
• These represent potential attack surface that may not be visible through normal traffic
• Useful for discovering handlers that only activate under specific conditions

---

🧪 Troubleshooting

| Issue | Solution | |-------|----------| | ❌ Server not running | Run bash setup.sh start | | 🔌 Connection failed | Check if Node.js is installed | | 📱 Extension not loading | Enable Developer Mode in Chrome | | ⚠️ Permission denied | Run chmod +x setup.sh | | 🤖 AI features not working | Ensure server is running and API keys are configured | | 🔑 API key errors | Check key validity and provider selection |

Common Solutions

• Server won't start: Check if port 1337 is available
• Extension crashes: Refresh the page and try again
• No messages captured: Ensure the site has iframe communication
• Analysis fails: Check browser console for error details
• Auto Pilot not scanning: Ensure endpoints are not in the ignored list and haven't been scanned already
• URL Upload fails: Verify file format (one URL per line, plain text)
• Show Full not working: Ensure the original tab with the message is still open

---

📄 License

MIT License - see LICENSE for details.

---

🔗 Useful Links

• GitHub Repository: github.com/thisis0xczar/FrogPost
• Bug Reports: GitHub Issues
• Feature Requests: GitHub Discussions

---

<p align="center"> <b>🐸 Happy Security Testing! 🐸</b> </p>

Made with ❤️ by thisis0xczar