Postmessage Outgoing Tracker

ID: postmessage-outgoing-tracker

Severity: info

Author: LogicalHunter

Tags: headless,postmessage

Description

YAML Source

id: postmessage-outgoing-tracker

info:
  name: Postmessage Outgoing Tracker
  author: LogicalHunter
  severity: info
  reference:
    - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
  tags: headless,postmessage

headless:
  - steps:
      - action: setheader
        args:
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"

      - action: script
        args:
          hook: true
          code: |
            () => {
              window.alerts = [];

              logger = found => window.alerts.push(found);

              function getStackTrace() {
                var stack;
                try {
                  throw new Error('');
                } catch (error) {
                  stack = error.stack || '';
                }

                stack = stack.split('\n').map(line => line.trim());
                return stack.splice(stack[0] == 'Error' ? 2 : 1);
              }

              var oldSender = window.postMessage;

              window.postMessage = (data, origin) => {
                if (origin == '*') {
                  logger({stack: getStackTrace(), args: {data, origin}});
                  return oldSender.apply(this, arguments);
                }
              };
            }

      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload

      - action: script
        name: alerts
        args:
          code: |
            () => { window.alerts }

    matchers:
      - type: word
        part: alerts
        words:
          - "at window.postMessage"

    extractors:
      - type: kval
        part: alerts
        kval:
          - alerts
# digest: 4a0a0047304502210087bf38a3b7ff49f3d2bb711691f3d2ca8d4d0c85403389cbf5b606ca0451d79202200ed2e0f54b4c713ae68f7401dcf1b9734dbda678ad44812e61b69cbae16ecf67:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "headless/postmessage-outgoing-tracker.yaml"

View on Github