id: postmessage-outgoing-tracker

info:
  name: Postmessage Outgoing Tracker
  author: LogicalHunter
  severity: info
  reference: https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
  tags: headless,postmessage

headless:
  - steps:
      - action: setheader
        args:
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
      - action: script
        args:
          hook: true
          code: |
            (function() {window.alerts = [];

            function logger(found) {
            	window.alerts.push(found);
            }

            function getStackTrace () {
              var stack;
              try {
                throw new Error('');
              }
              catch (error) {
                stack = error.stack || '';
              }
              stack = stack.split('\n').map(function (line) { return line.trim(); });
              return stack.splice(stack[0] == 'Error' ? 2 : 1);
            }

            var oldSender = window.postMessage;

            window.postMessage = function(data, origin) {
            if(origin == '*'){
                logger({stack: getStackTrace(), args: {data, origin}});
                return oldSender.apply(this, arguments);
                }
              };
            })();
      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload
      - action: script
        name: alerts
        args:
          code: "window.alerts"
    matchers:
      - type: word
        part: alerts
        words:
          - "at window.postMessage"
    extractors:
      - type: kval
        part: alerts
        kval:
          - alerts