65 lines
1.7 KiB
YAML
65 lines
1.7 KiB
YAML
id: postmessage-outgoing-tracker
|
|
|
|
info:
|
|
name: Postmessage Outgoing Tracker
|
|
author: LogicalHunter
|
|
severity: info
|
|
reference:
|
|
- https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
|
|
tags: headless,postmessage
|
|
|
|
headless:
|
|
- steps:
|
|
- action: setheader
|
|
args:
|
|
part: response
|
|
key: Content-Security-Policy
|
|
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
|
- action: script
|
|
args:
|
|
hook: true
|
|
code: |
|
|
() => {
|
|
window.alerts = [];
|
|
|
|
logger = found => window.alerts.push(found);
|
|
|
|
function getStackTrace() {
|
|
var stack;
|
|
try {
|
|
throw new Error('');
|
|
} catch (error) {
|
|
stack = error.stack || '';
|
|
}
|
|
|
|
stack = stack.split('\n').map(line => line.trim());
|
|
return stack.splice(stack[0] == 'Error' ? 2 : 1);
|
|
}
|
|
|
|
var oldSender = window.postMessage;
|
|
|
|
window.postMessage = (data, origin) => {
|
|
if (origin == '*') {
|
|
logger({stack: getStackTrace(), args: {data, origin}});
|
|
return oldSender.apply(this, arguments);
|
|
}
|
|
};
|
|
}
|
|
- args:
|
|
url: "{{BaseURL}}"
|
|
action: navigate
|
|
- action: waitload
|
|
- action: script
|
|
name: alerts
|
|
args:
|
|
code: window.alerts
|
|
matchers:
|
|
- type: word
|
|
part: alerts
|
|
words:
|
|
- "at window.postMessage"
|
|
extractors:
|
|
- type: kval
|
|
part: alerts
|
|
kval:
|
|
- alerts |