Create test2.html#27
Open
maekuss wants to merge 1 commit into
Open
Conversation
⏭️ Hacktron Security Check — SkippedReason: PR review limit reached for this billing period. Spillover billing is available for this org but is not enabled.
|
![hacktron-app-stg[bot]](https://avatars.githubusercontent.com/in/1867296?s=60&v=4){kind=small}
Comment on lines
+1
to
+67
| <!doctype html> | ||
| <html lang="en"> | ||
| <head> | ||
| <meta charset="utf-8" /> | ||
| <meta http-equiv="X-UA-Compatible" content="IE=edge" /> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1" /> | ||
| <title>Insecure postMessage without Origin Validation (VULNERABLE)</title> | ||
| <style> | ||
| body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 2rem; line-height: 1.5; } | ||
| .card { border: 1px solid #e5e7eb; border-radius: 14px; padding: 1rem 1.25rem; box-shadow: 0 1px 4px rgba(0,0,0,0.06); } | ||
| code, pre { background: #f8fafc; border: 1px solid #e5e7eb; border-radius: 8px; padding: .25rem .5rem; } | ||
| pre { padding: .75rem 1rem; overflow: auto; } | ||
| .danger { color: #b91c1c; font-weight: 700; } | ||
| #output { min-height: 48px; border: 1px dashed #e5e7eb; border-radius: 10px; padding: .75rem; background: #ffffff; } | ||
| </style> | ||
| </head> | ||
| <body> | ||
| <h1>Insecure <code>postMessage</code> without Origin Validation <span class="danger">(VULNERABLE)</span></h1> | ||
| <p>This page intentionally demonstrates an insecure <code>message</code> event listener that <strong>does not validate <code>event.origin</code></strong> and blindly injects received content into the DOM.</p> | ||
|
|
||
| <div class="card" style="margin: 1rem 0;"> | ||
| <p><strong>Status</strong></p> | ||
| <p id="origin">Last message origin: <em>(none)</em></p> | ||
| <div id="output">No message yet.</div> | ||
| </div> | ||
|
|
||
| <script> | ||
| // VULNERABLE IMPLEMENTATION — DO NOT USE IN PRODUCTION | ||
| // This listener accepts messages from ANY origin and injects the data into the DOM without sanitization. | ||
| window.addEventListener('message', (event) => { | ||
| // Shows the origin but FAILS to validate it (critical bug) | ||
| document.getElementById('origin').textContent = 'Last message origin: ' + event.origin; | ||
|
|
||
| // Dangerous sink: direct innerHTML assignment of untrusted data | ||
| const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data); | ||
| document.getElementById('output').innerHTML = incoming; | ||
| }); | ||
| </script> | ||
|
|
||
| <hr /> | ||
| <h2>How to reproduce the issue</h2> | ||
| <ol> | ||
| <li>Open <em>this</em> file in your browser (served via any origin).</li> | ||
| <li>In the browser console, open a different-origin tab (e.g., <code>example.com</code>): | ||
| <pre>window.open('https://example.com', 'attacker');</pre> | ||
| </li> | ||
| <li>Switch to the console of the newly opened tab and run: | ||
| <pre>window.opener.postMessage('<img src=x onerror=alert(\'Injected via \n\' + location.origin + \n\' — NO ORIGIN CHECK!\')>', '*');</pre> | ||
| You should see an alert on the vulnerable page and the DOM content updated. | ||
| </li> | ||
| </ol> | ||
|
|
||
| <!-- | ||
| SECURE PATTERN (for reference only — intentionally not active): | ||
|
|
||
| window.addEventListener('message', (event) => { | ||
| const allowed = new Set(['https://trusted.example']); | ||
| if (!allowed.has(event.origin)) return; // Validate origin strictly | ||
|
|
||
| // Optionally, validate event.source as well and use structured, expected message shapes | ||
| // if (event.data && event.data.type === 'expected') { ... } | ||
|
|
||
| // Avoid dangerous sinks like innerHTML; prefer textContent or safe rendering | ||
| }); | ||
| --> | ||
| </body> | ||
| </html> |
There was a problem hiding this comment.
🔴 High: Missing Origin Validation in postMessage Listener
The message event listener in the application fails to validate the event.origin of incoming postMessage events. By accepting messages from any origin, the application fails to enforce a trust boundary, allowing any malicious website to interact with the application. The received data is then processed and injected into the DOM via innerHTML, which facilitates DOM-based Cross-Site Scripting (XSS) attacks.
Steps to Reproduce
- Open the vulnerable page (e.g., test2.html) in a browser.
- Open the browser's developer console.
- Execute: window.postMessage('<img src=x onerror=alert("XSS")>', '*');
- Observe that the alert triggers, confirming the lack of origin validation and the dangerous use of innerHTML.
# N/A: This is a client-side DOM-based vulnerability.# This script demonstrates how an attacker can exploit the lack of origin validation.
# The payload is sent to the vulnerable window, which executes the injected script.
window.opener.postMessage('<img src=x onerror=alert(\"XSS_VULNERABILITY_CONFIRMED\")>', '*');N/APoC Url: N/A
Fix with AI
Fix the following security vulnerability found by Hacktron.
File: test2.html
Lines: 1-67
Severity: high
Vulnerability: Missing Origin Validation in postMessage Listener
Description:
The message event listener in the application fails to validate the event.origin of incoming postMessage events. By accepting messages from any origin, the application fails to enforce a trust boundary, allowing any malicious website to interact with the application. The received data is then processed and injected into the DOM via innerHTML, which facilitates DOM-based Cross-Site Scripting (XSS) attacks.
Proof of Concept:
**Steps to Reproduce**
1. Open the vulnerable page (e.g., test2.html) in a browser.
2. Open the browser's developer console.
3. Execute: window.postMessage('<img src=x onerror=alert(\"XSS\")>', '*');
4. Observe that the alert triggers, confirming the lack of origin validation and the dangerous use of innerHTML.
```python
# N/A: This is a client-side DOM-based vulnerability.
```
```bash
# This script demonstrates how an attacker can exploit the lack of origin validation.
# The payload is sent to the vulnerable window, which executes the injected script.
window.opener.postMessage('<img src=x onerror=alert(\"XSS_VULNERABILITY_CONFIRMED\")>', '*');
```
```bash
N/A
```
PoC Url: N/A
Fix this vulnerability. Only change what's necessary - don't modify unrelated code.
Triage: Reply !fp <reason> (false positive), !valid (confirmed), or !accepted_risk <reason>. Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing. Any other reply is saved as a triage note.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.