nuclei-templates/headless/postmessage-outgoing-tracke...

id: postmessage-outgoing-tracker

info:
  name: Postmessage Outgoing Tracker
  author: LogicalHunter
  severity: info
  reference:
    - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
  tags: headless,postmessage

headless:
  - steps:
      - action: setheader
        args:
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"

      - action: script
        args:
          hook: true
          code: |
            () => {
              window.alerts = [];

              logger = found => window.alerts.push(found);

              function getStackTrace() {
                var stack;
                try {
                  throw new Error('');
                } catch (error) {
                  stack = error.stack || '';
                }

                stack = stack.split('\n').map(line => line.trim());
                return stack.splice(stack[0] == 'Error' ? 2 : 1);
              }

              var oldSender = window.postMessage;

              window.postMessage = (data, origin) => {
                if (origin == '*') {
                  logger({stack: getStackTrace(), args: {data, origin}});
                  return oldSender.apply(this, arguments);
                }
              };
            }

      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload

      - action: script
        name: alerts
        args:
          code: |
            () => { window.alerts }

    matchers:
      - type: word
        part: alerts
        words:
          - "at window.postMessage"

    extractors:
      - type: kval
        part: alerts
        kval:
          - alerts
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`id: postmessage-outgoing-tracker`

			`info:`
			`name: Postmessage Outgoing Tracker`
			`author: LogicalHunter`
			`severity: info`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/`
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`tags: headless,postmessage`

			`headless:`
			`- steps:`
			`- action: setheader`
			`args:`
			`part: response`
			`key: Content-Security-Policy`
			`value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`- action: script`
			`args:`
			`hook: true`
			`code: \|`
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`() => {`
			`window.alerts = [];`
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`logger = found => window.alerts.push(found);`
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`function getStackTrace() {`
			`var stack;`
			`try {`
			`throw new Error('');`
			`} catch (error) {`
			`stack = error.stack \|\| '';`
			`}`

			`stack = stack.split('\n').map(line => line.trim());`
			`return stack.splice(stack[0] == 'Error' ? 2 : 1);`
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`}`

Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`var oldSender = window.postMessage;`
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`window.postMessage = (data, origin) => {`
			`if (origin == '*') {`
			`logger({stack: getStackTrace(), args: {data, origin}});`
			`return oldSender.apply(this, arguments);`
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`}`
			`};`
Fix code execution in headless templates (#4484) * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 * Wrapping the JS code with a function https://github.com/projectdiscovery/nuclei/issues/2017 2022-07-28 11:21:08 +00:00			`}`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`- args:`
			`url: "{{BaseURL}}"`
			`action: navigate`
			`- action: waitload`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`- action: script`
			`name: alerts`
			`args:`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00			`code: \|`
			`() => { window.alerts }`

Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`matchers:`
			`- type: word`
			`part: alerts`
			`words:`
			`- "at window.postMessage"`
misc fixes to headless template (#5239) 2022-08-29 09:10:50 +00:00
Add postMessage outgoing tracker (#3464) 2022-01-03 07:51:44 +00:00			`extractors:`
			`- type: kval`
			`part: alerts`
			`kval:`
			`- alerts`