nuclei-templates/headless/postmessage-outgoing-tracke...

66 lines
1.7 KiB
YAML
Raw Normal View History

id: postmessage-outgoing-tracker
info:
name: Postmessage Outgoing Tracker
author: LogicalHunter
severity: info
reference:
- https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
tags: headless,postmessage
headless:
- steps:
- action: setheader
args:
part: response
key: Content-Security-Policy
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
- action: script
args:
hook: true
code: |
(function() {window.alerts = [];
function logger(found) {
window.alerts.push(found);
}
function getStackTrace () {
var stack;
try {
throw new Error('');
}
catch (error) {
stack = error.stack || '';
}
stack = stack.split('\n').map(function (line) { return line.trim(); });
return stack.splice(stack[0] == 'Error' ? 2 : 1);
}
var oldSender = window.postMessage;
window.postMessage = function(data, origin) {
if(origin == '*'){
logger({stack: getStackTrace(), args: {data, origin}});
return oldSender.apply(this, arguments);
}
};
})();
- args:
url: "{{BaseURL}}"
action: navigate
- action: waitload
- action: script
name: alerts
args:
code: "window.alerts"
matchers:
- type: word
part: alerts
words:
- "at window.postMessage"
extractors:
- type: kval
part: alerts
kval:
- alerts