PostMessage Wildcard Event Listener Detected

info Web App Scanning Plugin ID 113851

Synopsis

PostMessage Wildcard Event Listener Detected

Description

Web applications relying on JavaScript often need to perform cross-origin communication between `Window` objects such as a page and an embedded iframe or a popup window. The postMessage API allows developers to circumvent the same-origin policy restrictions in order to exchange data between scripts located on different origins.
Depending on the application needs, messages event listeners could be added to use received messages in part of its logic. However, if the data received in these messages are used, for example, to build the page DOM, an attacker could leverage this issue to inject malicious data and conduct client-side attacks like Cross-Site Scripting (XSS) or Prototype Pollution.

Solution

Remove the message event listener if this is not needed in the application logic or verify that the message sender origin is matching with a trusted allowlist.

See Also

https://blog.yeswehack.com/yeswerhackers/introduction-postmessage-vulnerabilities/

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Plugin Details

Severity: Info

ID: 113851

Type: remote

Published: 5/5/2023

Updated: 5/5/2023

Scan Template: basic, full, pci, scan