Create hello.html#28
Open
maekuss wants to merge 1 commit into
Open
Conversation
⏭️ Hacktron Security Check — SkippedReason: PR review limit reached for this billing period. Spillover billing is available for this org but is not enabled.
|
![hacktron-app-stg[bot]](https://avatars.githubusercontent.com/in/1867296?s=60&v=4){kind=small}
Comment on lines
+1
to
+67
| <!doctype html> | ||
| <html lang="en"> | ||
| <head> | ||
| <meta charset="utf-8" /> | ||
| <meta http-equiv="X-UA-Compatible" content="IE=edge" /> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1" /> | ||
| <title>Insecure postMessage without Origin Validation (VULNERABLE)</title> | ||
| <style> | ||
| body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 2rem; line-height: 1.5; } | ||
| .card { border: 1px solid #e5e7eb; border-radius: 14px; padding: 1rem 1.25rem; box-shadow: 0 1px 4px rgba(0,0,0,0.06); } | ||
| code, pre { background: #f8fafc; border: 1px solid #e5e7eb; border-radius: 8px; padding: .25rem .5rem; } | ||
| pre { padding: .75rem 1rem; overflow: auto; } | ||
| .danger { color: #b91c1c; font-weight: 700; } | ||
| #output { min-height: 48px; border: 1px dashed #e5e7eb; border-radius: 10px; padding: .75rem; background: #ffffff; } | ||
| </style> | ||
| </head> | ||
| <body> | ||
| <h1>Insecure <code>postMessage</code> without Origin Validation <span class="danger">(VULNERABLE)</span></h1> | ||
| <p>This page intentionally demonstrates an insecure <code>message</code> event listener that <strong>does not validate <code>event.origin</code></strong> and blindly injects received content into the DOM.</p> | ||
|
|
||
| <div class="card" style="margin: 1rem 0;"> | ||
| <p><strong>Status</strong></p> | ||
| <p id="origin">Last message origin: <em>(none)</em></p> | ||
| <div id="output">No message yet.</div> | ||
| </div> | ||
|
|
||
| <script> | ||
| // VULNERABLE IMPLEMENTATION — DO NOT USE IN PRODUCTION | ||
| // This listener accepts messages from ANY origin and injects the data into the DOM without sanitization. | ||
| window.addEventListener('message', (event) => { | ||
| // Shows the origin but FAILS to validate it (critical bug) | ||
| document.getElementById('origin').textContent = 'Last message origin: ' + event.origin; | ||
|
|
||
| // Dangerous sink: direct innerHTML assignment of untrusted data | ||
| const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data); | ||
| document.getElementById('output').innerHTML = incoming; | ||
| }); | ||
| </script> | ||
|
|
||
| <hr /> | ||
| <h2>How to reproduce the issue</h2> | ||
| <ol> | ||
| <li>Open <em>this</em> file in your browser (served via any origin).</li> | ||
| <li>In the browser console, open a different-origin tab (e.g., <code>example.com</code>): | ||
| <pre>window.open('https://example.com', 'attacker');</pre> | ||
| </li> | ||
| <li>Switch to the console of the newly opened tab and run: | ||
| <pre>window.opener.postMessage('<img src=x onerror=alert(\'Injected via \n\' + location.origin + \n\' — NO ORIGIN CHECK!\')>', '*');</pre> | ||
| You should see an alert on the vulnerable page and the DOM content updated. | ||
| </li> | ||
| </ol> | ||
|
|
||
| <!-- | ||
| SECURE PATTERN (for reference only — intentionally not active): | ||
|
|
||
| window.addEventListener('message', (event) => { | ||
| const allowed = new Set(['https://trusted.example']); | ||
| if (!allowed.has(event.origin)) return; // Validate origin strictly | ||
|
|
||
| // Optionally, validate event.source as well and use structured, expected message shapes | ||
| // if (event.data && event.data.type === 'expected') { ... } | ||
|
|
||
| // Avoid dangerous sinks like innerHTML; prefer textContent or safe rendering | ||
| }); | ||
| --> | ||
| </body> | ||
| </html> |
There was a problem hiding this comment.
🔴 High: Insecure postMessage Origin Validation Leading to DOM-based XSS
The application implements a message event listener that fails to validate the event.origin property before processing the incoming event.data. Furthermore, it uses the innerHTML property to render the untrusted event.data directly into the DOM. This combination allows any malicious origin to execute arbitrary JavaScript in the context of the vulnerable page, leading to DOM-based Cross-Site Scripting (XSS). This vulnerability is present in index.html, hello.html, and test.html.
Steps to Reproduce
- Open the vulnerable file (e.g., hello.html) in a browser.
- Open the browser's developer tools console.
- Execute the following JavaScript: window.postMessage('
', '*');
- Observe that the alert executes, demonstrating successful XSS.
# This script demonstrates the payload that would be sent from a malicious origin.
# The attacker would execute this in a separate window/iframe that has a reference to the vulnerable page.
payload = "<img src=x onerror=alert('XSS_Executed')>"
# The vulnerable page listens to all origins ('*') and does not validate event.origin.
# window.postMessage(payload, '*');
print(f"Payload to send: {payload}")# No bash script required, use browser console.# No curl command required, this is a client-side browser vulnerability.PoC Url: https://example.com
Fix with AI
Fix the following security vulnerability found by Hacktron.
File: hello.html
Lines: 1-67
Severity: high
Vulnerability: Insecure postMessage Origin Validation Leading to DOM-based XSS
Description:
The application implements a `message` event listener that fails to validate the `event.origin` property before processing the incoming `event.data`. Furthermore, it uses the `innerHTML` property to render the untrusted `event.data` directly into the DOM. This combination allows any malicious origin to execute arbitrary JavaScript in the context of the vulnerable page, leading to DOM-based Cross-Site Scripting (XSS). This vulnerability is present in `index.html`, `hello.html`, and `test.html`.
Proof of Concept:
**Steps to Reproduce**
1. Open the vulnerable file (e.g., hello.html) in a browser.
2. Open the browser's developer tools console.
3. Execute the following JavaScript: window.postMessage('<img src=x onerror=alert(document.domain)>', '*');
4. Observe that the alert executes, demonstrating successful XSS.
```python
# This script demonstrates the payload that would be sent from a malicious origin.
# The attacker would execute this in a separate window/iframe that has a reference to the vulnerable page.
payload = "<img src=x onerror=alert('XSS_Executed')>"
# The vulnerable page listens to all origins ('*') and does not validate event.origin.
# window.postMessage(payload, '*');
print(f"Payload to send: {payload}")
```
```bash
# No bash script required, use browser console.
```
```bash
# No curl command required, this is a client-side browser vulnerability.
```
PoC Url: https://example.com
Affected Code:
window.addEventListener('message', (event) => {
// Shows the origin but FAILS to validate it (critical bug)
document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;
// Dangerous sink: direct innerHTML assignment of untrusted data
const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
document.getElementById('output').innerHTML = incoming;
});
Fix this vulnerability. Only change what's necessary - don't modify unrelated code.
Triage: Reply !fp <reason> (false positive), !valid (confirmed), or !accepted_risk <reason>. Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing. Any other reply is saved as a triage note.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.