Skip to content

Add test.html for insecure postMessage example #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maekuss wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add test.html for insecure postMessage example #13

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions test.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Insecure postMessage without Origin Validation (VULNERABLE)</title>
<style>
body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 2rem; line-height: 1.5; }
.card { border: 1px solid #e5e7eb; border-radius: 14px; padding: 1rem 1.25rem; box-shadow: 0 1px 4px rgba(0,0,0,0.06); }
code, pre { background: #f8fafc; border: 1px solid #e5e7eb; border-radius: 8px; padding: .25rem .5rem; }
pre { padding: .75rem 1rem; overflow: auto; }
.danger { color: #b91c1c; font-weight: 700; }
#output { min-height: 48px; border: 1px dashed #e5e7eb; border-radius: 10px; padding: .75rem; background: #ffffff; }
</style>
</head>
<body>
<h1>Insecure <code>postMessage</code> without Origin Validation <span class="danger">(VULNERABLE)</span></h1>
<p>This page intentionally demonstrates an insecure <code>message</code> event listener that <strong>does not validate <code>event.origin</code></strong> and blindly injects received content into the DOM.</p>

<div class="card" style="margin: 1rem 0;">
<p><strong>Status</strong></p>
<p id="origin">Last message origin: <em>(none)</em></p>
<div id="output">No message yet.</div>
</div>

<script>
// VULNERABLE IMPLEMENTATION — DO NOT USE IN PRODUCTION

Check failure on line 28 in test.html

View check run for this annotation

Hacktron App (DEV) / Hacktron Security Check

Missing Origin Validation in postMessage Event Listener (Batch 5) 

The message event listener does not validate event.origin before processing messages. This allows any origin to send messages to this page, enabling cross-origin attacks and XSS.

Affected Code:
```
window.addEventListener('message', (event) => {
```
Raw output 
**Category:** vulnerability
**Severity:** CRITICAL
**File:** test.html:28

**Proof of Concept:**
An attacker from any origin can send malicious messages: window.opener.postMessage('<img src=x onerror=alert(1)>', '*')

**Finding ID:** a50e8400-e29b-41d4-a716-446655440071
// This listener accepts messages from ANY origin and injects the data into the DOM without sanitization.
window.addEventListener('message', (event) => {

Check notice on line 30 in test.html

View check run for this annotation

Hacktron App (DEV) / Hacktron Security Check

Origin Information Displayed Without Proper Validation (Batch 5) 

The application displays origin information in the DOM without validating it first. While not directly exploitable, this could leak information about message sources.

Affected Code:
```
document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;
```
Raw output 
**Category:** weakness
**Severity:** LOW
**File:** test.html:30

**Proof of Concept:**
Monitor DOM changes to track message origins and gather reconnaissance data

**Finding ID:** a50e8400-e29b-41d4-a716-446655440074
// Shows the origin but FAILS to validate it (critical bug)
document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;

Check warning on line 32 in test.html

View check run for this annotation

Hacktron App (DEV) / Hacktron Security Check

Insufficient Validation of Message Data Type and Structure (Batch 5) 

The code performs minimal type checking on incoming message data. While it checks if data is a string, it does not validate the structure or content before processing.

Affected Code:
```
const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
```
Raw output 
**Category:** weakness
**Severity:** MEDIUM
**File:** test.html:32

**Proof of Concept:**
Send unexpected data types or malicious objects: postMessage({__proto__: {polluted: true}}, '*')

**Finding ID:** a50e8400-e29b-41d4-a716-446655440073

Check failure on line 33 in test.html

View check run for this annotation

Hacktron App (DEV) / Hacktron Security Check

DOM-based XSS through Unsafe innerHTML Assignment (Batch 5) 

Untrusted data from postMessage is directly assigned to innerHTML without sanitization. This creates a DOM-based XSS vulnerability allowing arbitrary JavaScript execution.

Affected Code:
```
document.getElementById('output').innerHTML = incoming;
```
Raw output 
**Category:** vulnerability
**Severity:** HIGH
**File:** test.html:33

**Proof of Concept:**
window.opener.postMessage('<img src=x onerror=alert(document.cookie)>', '*') will execute arbitrary JavaScript

**Finding ID:** a50e8400-e29b-41d4-a716-446655440072
// Dangerous sink: direct innerHTML assignment of untrusted data
const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
document.getElementById('output').innerHTML = incoming;
});
</script>

<hr />
<h2>How to reproduce the issue</h2>
<ol>
<li>Open <em>this</em> file in your browser (served via any origin).</li>
<li>In the browser console, open a different-origin tab (e.g., <code>example.com</code>):
<pre>window.open('https://example.com', 'attacker');</pre>
</li>
<li>Switch to the console of the newly opened tab and run:

Check notice on line 47 in test.html

View check run for this annotation

Hacktron App (DEV) / Hacktron Security Check

Secure Implementation Pattern Available in Comments But Not Applied (Batch 5) 

A secure implementation pattern with proper origin validation is documented in the HTML comments (lines 47-57) but is not actively used. The code should implement the secure pattern shown in comments.

Affected Code:
```
const allowed = new Set(['https://trusted.example']);
```
Raw output 
**Category:** weakness
**Severity:** INFO
**File:** test.html:47

**Proof of Concept:**
Review the commented secure pattern and compare with the vulnerable implementation above

**Finding ID:** a50e8400-e29b-41d4-a716-446655440075
<pre>window.opener.postMessage('&lt;img src=x onerror=alert(\'Injected via \n\' + location.origin + \n\' — NO ORIGIN CHECK!\')&gt;', '*');</pre>
You should see an alert on the vulnerable page and the DOM content updated.
</li>
</ol>

<!--
SECURE PATTERN (for reference only — intentionally not active):

window.addEventListener('message', (event) => {
const allowed = new Set(['https://trusted.example']);
if (!allowed.has(event.origin)) return; // Validate origin strictly

// Optionally, validate event.source as well and use structured, expected message shapes
// if (event.data && event.data.type === 'expected') { ... }

// Avoid dangerous sinks like innerHTML; prefer textContent or safe rendering
});
-->
</body>
</html>