FrogPost is a Chrome extension for security testing of postMessage communications between iframes. It combines static analysis, dynamic testing, and optional AI assistance to identify vulnerabilities in message-handling implementations.
Use FrogPost ethically and legally β only test applications you own or have permission to assess.
- Go to
chrome://extensions/in Chrome - Enable Developer mode (top-right toggle)
- Click Load unpacked and select the FrogPost folder
- Copy the Extension ID from the extensions page
bash setup.shThis installs dependencies and sets up the local server for AI features
- Visit any website with iframes
- Click the FrogPost extension icon
- Click Analyze Handler to detect vulnerabilities
- Click Launch Fuzzer to test with payloads
- Optional: Enable Auto Pilot for continuous automated scanning
- Optional: Use Upload URL List for bulk endpoint testing
- Click extension icon β Options
- Add your API key (OpenAI, Anthropic, or Google Gemini)
- Start server:
bash setup.sh start - Use "Analyze with LLM" for AI-powered insights
- Live Monitoring: Captures
postMessagetraffic between iframes in real-time - Handler Analysis: Detects and analyzes message handlers for vulnerabilities using runtime interception
- Zombie Handler Detection: Identifies registered handlers that haven't received messages yet (potential attack surface)
- Payload Testing: Launches crafted payloads to test security
- Auto Pilot Mode: Automatically scans new endpoints as they appear, testing them without manual intervention
- URL List Upload: Bulk import and scan multiple URLs from a text file for automated testing
- AI Enhancement: Optional LLM-powered analysis (requires server)
- Message Truncation: Large messages are automatically truncated for performance, with "Show Full" option to view complete data
- Missing origin validation in message handlers
- Unsafe DOM sinks (innerHTML, eval, etc.)
- Prototype pollution vulnerabilities
- XSS injection points in postMessage handlers
- Security misconfigurations in iframe communication
Enable automated scanning for continuous monitoring:
- Click the Auto Pilot toggle in the dashboard
- FrogPost will automatically detect and scan new endpoints as they appear
- Each endpoint is tested once with full handler analysis and fuzzing
- Results are displayed in real-time without manual interaction
Use Cases:
- Continuous monitoring during application navigation
- Automated testing of dynamic iframe loading
- Hands-free security assessment of complex applications
Bulk test multiple endpoints efficiently:
- Prepare a text file with one URL per line
- Click "Upload URL List" in the dashboard
- Select your file and let FrogPost process all URLs
- All endpoints are opened, analyzed, and tested automatically
Features:
- Batch processing of hundreds of URLs
- Automatic tab management and cleanup
- Parallel endpoint scanning
- Results aggregation in the main dashboard
# Start server
bash setup.sh start
# Check status
bash setup.sh status
# Stop server
bash setup.sh stopNote: Basic features work without the server, but AI analysis requires it to be running.
| Provider | Models |
|---|---|
| OpenAI | gpt-4o, gpt-4o-mini, o3, o3-mini, o1, o1-mini |
| Anthropic | claude-opus-4-20250514, claude-sonnet-4-20250514, claude-3-5-sonnet-20241022, claude-3-5-haiku-20241022 |
| Google Gemini | gemini-2.5-pro-preview-06-05, gemini-2.5-flash-preview-05-20, gemini-2.0-flash, gemini-1.5-pro, gemini-1.5-flash |
- Configure API Keys: Click extension icon β Options
- Add your keys: Choose any supported provider above
- Start server:
bash setup.sh start - Use AI analysis: Click "Analyze with LLM" in the dashboard
- Handler Quality Score: 0-100 accuracy rating
- Security Assessment: Detailed vulnerability analysis
- Custom Payloads: AI-generated payloads for detected sinks
- Risk Recommendations: Specific security improvements
- Unified Analysis: Combined handler and message pattern analysis
Large postMessage payloads are automatically truncated for performance:
- Messages exceeding 50 keys, 50 array items, or 8 levels of nesting are truncated
- Truncated messages show a βοΈ Truncated badge in the dashboard
- Click "π Show Full" button to request and display the complete message data
FrogPost identifies "zombie" handlers - message listeners that are registered but haven't received any messages:
- Zombie endpoints are marked with π§ emoji
- These represent potential attack surface that may not be visible through normal traffic
- Useful for discovering handlers that only activate under specific conditions
| Issue | Solution |
|---|---|
| β Server not running | Run bash setup.sh start |
| π Connection failed | Check if Node.js is installed |
| π± Extension not loading | Enable Developer Mode in Chrome |
Run chmod +x setup.sh |
|
| π€ AI features not working | Ensure server is running and API keys are configured |
| π API key errors | Check key validity and provider selection |
- Server won't start: Check if port 1337 is available
- Extension crashes: Refresh the page and try again
- No messages captured: Ensure the site has iframe communication
- Analysis fails: Check browser console for error details
- Auto Pilot not scanning: Ensure endpoints are not in the ignored list and haven't been scanned already
- URL Upload fails: Verify file format (one URL per line, plain text)
- Show Full not working: Ensure the original tab with the message is still open
MIT License - see LICENSE for details.
- GitHub Repository: github.com/thisis0xczar/FrogPost
- Bug Reports: GitHub Issues
- Feature Requests: GitHub Discussions
πΈ Happy Security Testing! πΈ
Made with β€οΈ by thisis0xczar