id: postmessage-outgoing-tracker info: name: Postmessage Outgoing Tracker author: LogicalHunter severity: info reference: - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/ tags: headless,postmessage headless: - steps: - action: setheader args: part: response key: Content-Security-Policy value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" - action: script args: hook: true code: | (function() {window.alerts = []; function logger(found) { window.alerts.push(found); } function getStackTrace () { var stack; try { throw new Error(''); } catch (error) { stack = error.stack || ''; } stack = stack.split('\n').map(function (line) { return line.trim(); }); return stack.splice(stack[0] == 'Error' ? 2 : 1); } var oldSender = window.postMessage; window.postMessage = function(data, origin) { if(origin == '*'){ logger({stack: getStackTrace(), args: {data, origin}}); return oldSender.apply(this, arguments); } }; })(); - args: url: "{{BaseURL}}" action: navigate - action: waitload - action: script name: alerts args: code: "window.alerts" matchers: - type: word part: alerts words: - "at window.postMessage" extractors: - type: kval part: alerts kval: - alerts