id: postmessage-outgoing-tracker

info:
  name: Postmessage Outgoing Tracker
  author: LogicalHunter
  severity: info
  reference:
    - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
  tags: headless,postmessage

headless:
  - steps:
      - action: setheader
        args:
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"

      - action: script
        args:
          hook: true
          code: |
            () => {
              window.alerts = [];

              logger = found => window.alerts.push(found);

              function getStackTrace() {
                var stack;
                try {
                  throw new Error('');
                } catch (error) {
                  stack = error.stack || '';
                }

                stack = stack.split('\n').map(line => line.trim());
                return stack.splice(stack[0] == 'Error' ? 2 : 1);
              }

              var oldSender = window.postMessage;

              window.postMessage = (data, origin) => {
                if (origin == '*') {
                  logger({stack: getStackTrace(), args: {data, origin}});
                  return oldSender.apply(this, arguments);
                }
              };
            }

      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload

      - action: script
        name: alerts
        args:
          code: |
            () => { window.alerts }

    matchers:
      - type: word
        part: alerts
        words:
          - "at window.postMessage"

    extractors:
      - type: kval
        part: alerts
        kval:
          - alerts
# digest: 4b0a0048304602210086257806d07e03db948397827002ce802d2268c9b897c1a4e71ade20b22b222202210094f84b0a083d95efd50b36f5fd9765eae6ccb657332c21af2ded2d6f754bce13:922c64590222798bb761d5b6d8e72950