nuclei-templates/headless/postmessage-outgoing-tracke...

71 lines
1.7 KiB
YAML
Raw Normal View History

id: postmessage-outgoing-tracker
info:
name: Postmessage Outgoing Tracker
author: LogicalHunter
severity: info
reference:
- https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
tags: headless,postmessage
headless:
- steps:
- action: setheader
args:
part: response
key: Content-Security-Policy
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
- action: script
args:
hook: true
code: |
() => {
window.alerts = [];
logger = found => window.alerts.push(found);
function getStackTrace() {
var stack;
try {
throw new Error('');
} catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(line => line.trim());
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldSender = window.postMessage;
window.postMessage = (data, origin) => {
if (origin == '*') {
logger({stack: getStackTrace(), args: {data, origin}});
return oldSender.apply(this, arguments);
}
};
}
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: |
() => { window.alerts }
matchers:
- type: word
part: alerts
words:
- "at window.postMessage"
extractors:
- type: kval
part: alerts
kval:
- alerts