2022-01-03 07:51:44 +00:00
|
|
|
id: postmessage-outgoing-tracker
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: Postmessage Outgoing Tracker
|
|
|
|
author: LogicalHunter
|
|
|
|
severity: info
|
2022-04-22 10:38:41 +00:00
|
|
|
reference:
|
|
|
|
- https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
|
2022-01-03 07:51:44 +00:00
|
|
|
tags: headless,postmessage
|
|
|
|
|
|
|
|
headless:
|
|
|
|
- steps:
|
|
|
|
- action: setheader
|
|
|
|
args:
|
|
|
|
part: response
|
|
|
|
key: Content-Security-Policy
|
|
|
|
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
|
|
|
- action: script
|
|
|
|
args:
|
|
|
|
hook: true
|
|
|
|
code: |
|
|
|
|
(function() {window.alerts = [];
|
|
|
|
|
|
|
|
function logger(found) {
|
|
|
|
window.alerts.push(found);
|
|
|
|
}
|
|
|
|
|
|
|
|
function getStackTrace () {
|
|
|
|
var stack;
|
|
|
|
try {
|
|
|
|
throw new Error('');
|
|
|
|
}
|
|
|
|
catch (error) {
|
|
|
|
stack = error.stack || '';
|
|
|
|
}
|
|
|
|
stack = stack.split('\n').map(function (line) { return line.trim(); });
|
|
|
|
return stack.splice(stack[0] == 'Error' ? 2 : 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
var oldSender = window.postMessage;
|
|
|
|
|
|
|
|
window.postMessage = function(data, origin) {
|
|
|
|
if(origin == '*'){
|
|
|
|
logger({stack: getStackTrace(), args: {data, origin}});
|
|
|
|
return oldSender.apply(this, arguments);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
})();
|
|
|
|
- args:
|
|
|
|
url: "{{BaseURL}}"
|
|
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
|
|
name: alerts
|
|
|
|
args:
|
|
|
|
code: "window.alerts"
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: alerts
|
|
|
|
words:
|
|
|
|
- "at window.postMessage"
|
|
|
|
extractors:
|
|
|
|
- type: kval
|
|
|
|
part: alerts
|
|
|
|
kval:
|
|
|
|
- alerts
|