Add insecure postMessage example in index1.html#25
Open
maekuss wants to merge 1 commit into
Open
Conversation
This HTML file demonstrates an insecure postMessage implementation that lacks origin validation, allowing potential cross-site scripting (XSS) vulnerabilities.
⏭️ Hacktron Security Check — SkippedReason: PR review limit reached for this billing period. Spillover billing is available for this org but is not enabled.
|
![hacktron-app-stg[bot]](https://avatars.githubusercontent.com/in/1867296?s=60&v=4){kind=small}
Comment on lines
+1
to
+67
| <!doctype html> | ||
| <html lang="en"> | ||
| <head> | ||
| <meta charset="utf-8" /> | ||
| <meta http-equiv="X-UA-Compatible" content="IE=edge" /> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1" /> | ||
| <title>Insecure postMessage without Origin Validation (VULNERABLE)</title> | ||
| <style> | ||
| body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 2rem; line-height: 1.5; } | ||
| .card { border: 1px solid #e5e7eb; border-radius: 14px; padding: 1rem 1.25rem; box-shadow: 0 1px 4px rgba(0,0,0,0.06); } | ||
| code, pre { background: #f8fafc; border: 1px solid #e5e7eb; border-radius: 8px; padding: .25rem .5rem; } | ||
| pre { padding: .75rem 1rem; overflow: auto; } | ||
| .danger { color: #b91c1c; font-weight: 700; } | ||
| #output { min-height: 48px; border: 1px dashed #e5e7eb; border-radius: 10px; padding: .75rem; background: #ffffff; } | ||
| </style> | ||
| </head> | ||
| <body> | ||
| <h1>Insecure <code>postMessage</code> without Origin Validation <span class="danger">(VULNERABLE)</span></h1> | ||
| <p>This page intentionally demonstrates an insecure <code>message</code> event listener that <strong>does not validate <code>event.origin</code></strong> and blindly injects received content into the DOM.</p> | ||
|
|
||
| <div class="card" style="margin: 1rem 0;"> | ||
| <p><strong>Status</strong></p> | ||
| <p id="origin">Last message origin: <em>(none)</em></p> | ||
| <div id="output">No message yet.</div> | ||
| </div> | ||
|
|
||
| <script> | ||
| // VULNERABLE IMPLEMENTATION — DO NOT USE IN PRODUCTION | ||
| // This listener accepts messages from ANY origin and injects the data into the DOM without sanitization. | ||
| window.addEventListener('message', (event) => { | ||
| // Shows the origin but FAILS to validate it (critical bug) | ||
| document.getElementById('origin').textContent = 'Last message origin: ' + event.origin; | ||
|
|
||
| // Dangerous sink: direct innerHTML assignment of untrusted data | ||
| const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data); | ||
| document.getElementById('output').innerHTML = incoming; | ||
| }); | ||
| </script> | ||
|
|
||
| <hr /> | ||
| <h2>How to reproduce the issue</h2> | ||
| <ol> | ||
| <li>Open <em>this</em> file in your browser (served via any origin).</li> | ||
| <li>In the browser console, open a different-origin tab (e.g., <code>example.com</code>): | ||
| <pre>window.open('https://example.com', 'attacker');</pre> | ||
| </li> | ||
| <li>Switch to the console of the newly opened tab and run: | ||
| <pre>window.opener.postMessage('<img src=x onerror=alert(\'Injected via \n\' + location.origin + \n\' — NO ORIGIN CHECK!\')>', '*');</pre> | ||
| You should see an alert on the vulnerable page and the DOM content updated. | ||
| </li> | ||
| </ol> | ||
|
|
||
| <!-- | ||
| SECURE PATTERN (for reference only — intentionally not active): | ||
|
|
||
| window.addEventListener('message', (event) => { | ||
| const allowed = new Set(['https://trusted.example']); | ||
| if (!allowed.has(event.origin)) return; // Validate origin strictly | ||
|
|
||
| // Optionally, validate event.source as well and use structured, expected message shapes | ||
| // if (event.data && event.data.type === 'expected') { ... } | ||
|
|
||
| // Avoid dangerous sinks like innerHTML; prefer textContent or safe rendering | ||
| }); | ||
| --> | ||
| </body> | ||
| </html> |
There was a problem hiding this comment.
🔴 High: Origin Validation Bypass and DOM XSS via postMessage
The application implements a window.addEventListener('message', ...) listener that processes messages from any origin without validating the event.origin property. This allows any malicious website to send arbitrary messages to the application. Furthermore, the application directly assigns the event.data to the innerHTML property of a DOM element, leading to a Cross-Site Scripting (XSS) vulnerability. This bypasses the browser's Same-Origin Policy (SOP) boundary, which is intended to protect the application from untrusted cross-origin interactions.
Steps to Reproduce
- Open index1.html in a browser.
- Open a separate tab in the same browser (e.g., example.com).
- In the console of the second tab, run: window.opener.postMessage('<img src=x onerror=alert("XSS")>', '*');
- Observe the alert on the vulnerable page.
# No python script required, this is a browser-based vulnerability.# No bash script required, this is a browser-based vulnerability.
# To trigger:
# 1. Open index1.html in a browser.
# 2. In the console of another tab, execute:
# window.opener.postMessage('<img src=x onerror=alert("XSS")>', '*');N/APoC Url: N/A
Fix with AI
Fix the following security vulnerability found by Hacktron.
File: index1.html
Lines: 1-67
Severity: high
Vulnerability: Origin Validation Bypass and DOM XSS via postMessage
Description:
The application implements a window.addEventListener('message', ...) listener that processes messages from any origin without validating the event.origin property. This allows any malicious website to send arbitrary messages to the application. Furthermore, the application directly assigns the event.data to the innerHTML property of a DOM element, leading to a Cross-Site Scripting (XSS) vulnerability. This bypasses the browser's Same-Origin Policy (SOP) boundary, which is intended to protect the application from untrusted cross-origin interactions.
Proof of Concept:
**Steps to Reproduce**
1. Open index1.html in a browser.
2. Open a separate tab in the same browser (e.g., example.com).
3. In the console of the second tab, run: window.opener.postMessage('<img src=x onerror=alert("XSS")>', '*');
4. Observe the alert on the vulnerable page.
```python
# No python script required, this is a browser-based vulnerability.
```
```bash
# No bash script required, this is a browser-based vulnerability.
# To trigger:
# 1. Open index1.html in a browser.
# 2. In the console of another tab, execute:
# window.opener.postMessage('<img src=x onerror=alert("XSS")>', '*');
```
```bash
N/A
```
PoC Url: N/A
Affected Code:
window.addEventListener('message', (event) => {
// Shows the origin but FAILS to validate it (critical bug)
document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;
// Dangerous sink: direct innerHTML assignment of untrusted data
const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
document.getElementById('output').innerHTML = incoming;
});
Fix this vulnerability. Only change what's necessary - don't modify unrelated code.
Triage: Reply !fp <reason> (false positive), !valid (confirmed), or !accepted_risk <reason>. Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing. Any other reply is saved as a triage note.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This HTML file demonstrates an insecure postMessage implementation that lacks origin validation, allowing potential cross-site scripting (XSS) vulnerabilities.