Detections
Analytics
PostMessage Wildcard Target Origin Detected
info Web App Scanning Plugin ID 113837
Language:
Synopsis
PostMessage Wildcard Target Origin DetectedDescription
Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.Depending on the application needs, the messages can be sent to the wildcard origin `*`, allowing any other object to read it. However, if the data sent through postMessage() are not intended to be public, an attacker could leverage this issue to capture sensitive data from a target web application.
Solution
Ensure that the messages sent through the postMessage() API are expected to be read by any third party. If not, you should specify the target origin which should receive the messages.See Also
https://blog.yeswehack.com/yeswerhackers/introduction-postmessage-vulnerabilities/
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Plugin Details
Severity: Info
ID: 113837
Type: remote
Family: Web Applications
Published: 5/5/2023
Updated: 5/5/2023
Scan Template: basic, full, pci, scan