id: postmessage-outgoing-tracker info: name: Postmessage Outgoing Tracker author: LogicalHunter severity: info reference: - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/ tags: headless,postmessage headless: - steps: - action: setheader args: part: response key: Content-Security-Policy value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;" - action: script args: hook: true code: | () => { window.alerts = []; logger = found => window.alerts.push(found); function getStackTrace() { var stack; try { throw new Error(''); } catch (error) { stack = error.stack || ''; } stack = stack.split('\n').map(line => line.trim()); return stack.splice(stack[0] == 'Error' ? 2 : 1); } var oldSender = window.postMessage; window.postMessage = (data, origin) => { if (origin == '*') { logger({stack: getStackTrace(), args: {data, origin}}); return oldSender.apply(this, arguments); } }; } - args: url: "{{BaseURL}}" action: navigate - action: waitload - action: script name: alerts args: code: window.alerts matchers: - type: word part: alerts words: - "at window.postMessage" extractors: - type: kval part: alerts kval: - alerts