id: postmessage-outgoing-tracker info: name: Postmessage Outgoing Tracker author: LogicalHunter severity: info reference: - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/ tags: headless,postmessage headless: - steps: - action: setheader args: part: response key: Content-Security-Policy value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" - action: script args: hook: true code: | () => { window.alerts = []; logger = found => window.alerts.push(found); function getStackTrace() { var stack; try { throw new Error(''); } catch (error) { stack = error.stack || ''; } stack = stack.split('\n').map(line => line.trim()); return stack.splice(stack[0] == 'Error' ? 2 : 1); } var oldSender = window.postMessage; window.postMessage = (data, origin) => { if (origin == '*') { logger({stack: getStackTrace(), args: {data, origin}}); return oldSender.apply(this, arguments); } }; } - args: url: "{{BaseURL}}" action: navigate - action: waitload - action: script name: alerts args: code: | () => { window.alerts } matchers: - type: word part: alerts words: - "at window.postMessage" extractors: - type: kval part: alerts kval: - alerts # digest: 4b0a0048304602210086257806d07e03db948397827002ce802d2268c9b897c1a4e71ade20b22b222202210094f84b0a083d95efd50b36f5fd9765eae6ccb657332c21af2ded2d6f754bce13:922c64590222798bb761d5b6d8e72950