PostMessage

https://blog.yeswehack.com/yeswerhackers/introduction-postmessage-vulnerabilities/

The method window.postMessage() is used by the application to allow cross-origin communication between different window objects. This method provides a way to securely circumvent the restrictions of the Same Origin Policy.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage window.postMessage() provides a controlled mechanism to securely circumvent this restriction (if used properly). – LOL

Syntax:

• postMessage(message, targetOrigin, transfer)

Always provide a specific targetOrigin, not * A malicious site can change the location of the window without your knowledge, and therefore it can intercept the data sent using postMessage. If you do not expect to receive messages from other sites, do not add any event listeners for message events

If you do expect to receive messages from other sites, always verify the sender’s identity using the origin and possibly source properties. Any window (including, for example, http://evil.example.com) can send a message to any other window, and you have no guarantees that an unknown sender will not send malicious messages.

It is required to trace the execution flow to perform a successful attack.

Need to read the Javascript and id all the listeners

Look for the code lines postMessage() addEventListener (“message”)

MessPostage Browser extention

Dev Tools the global listener feature

Posta - Tool

PMHook - Tool

https://github.com/fransr/postMessage-tracker

Failure to specify an origin check

window.addEventListener(“message”, callback, true);
function callback(e) {
/* process message (e.data) */
}

Allow list:

function receiveMessage(event)
{
// Do we trust the sender of this message?
if (event.origin !== "http://siteA.example.com")
// Untrusted!
return;
} else {
/ * process message */
}
}

Java fun or …