Detections
Analytics
PostMessage Wildcard Event Listener Detected
info Web App Scanning Plugin ID 113851
Language:
Synopsis
PostMessage Wildcard Event Listener DetectedDescription
Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.Depending on the application needs, messages event listeners could be added to use received messages in part of its logic. However, if the data received in these messages are used, for example, to build the page DOM, an attacker could leverage this issue to inject malicious data and conduct client-side attacks like Cross-Site Scripting (XSS) or Prototype Pollution.
Solution
Remove the message event listener if this is not needed in the application logic or verify that the message sender origin is matching with a trusted allowlist.See Also
https://blog.yeswehack.com/yeswerhackers/introduction-postmessage-vulnerabilities/
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Plugin Details
Severity: Info
ID: 113851
Type: remote
Family: Web Applications
Published: 5/5/2023
Updated: 5/5/2023
Scan Template: basic, full, pci, scan