Skip to content

Create sfsd.html#30

Open
maekuss wants to merge 1 commit into
mainfrom
maekuss-patch-8
Open

Create sfsd.html#30
maekuss wants to merge 1 commit into
mainfrom
maekuss-patch-8

Conversation

@maekuss

@maekuss maekuss commented May 26, 2026

Copy link
Copy Markdown
Owner

No description provided.

@hacktron-app

hacktron-app Bot commented May 26, 2026

Copy link
Copy Markdown

⏭️ Hacktron Security Check — Skipped

Reason: PR review limit reached for this billing period. Spillover billing is available for this org but is not enabled.

Ask your org owner to enable spillover billing on the billing page, or wait for the next billing cycle.

Go to: https://app.hacktron.ai/dscsdsdc/billing

hacktron-app-stg[bot]
hacktron-app-stg Bot reviewed May 26, 2026
View reviewed changes

@hacktron-app-stg hacktron-app-stg Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Severity Count
🔴 High 1

View full scan results

Comment thread sfsd.html

@hacktron-app-stg hacktron-app-stg Bot May 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 High: DOM-based Cross-Site Scripting (XSS) via insecure postMessage listener in sfsd.html

The sfsd.html file implements a window.addEventListener('message', ...) listener that fails to validate the event.origin of incoming messages. It then takes the event.data and directly assigns it to the innerHTML of the div#output element. This allows any malicious website to send a crafted postMessage to this page, leading to arbitrary JavaScript execution in the context of the page's origin. This is a clear DOM-based XSS vulnerability.

Steps to Reproduce
  1. Open sfsd.html in a browser.
  2. In the console of a different origin (e.g., example.com), execute:
    window.opener.postMessage('', '*');
  3. The alert will execute on the sfsd.html page.
Fix with AI

Open in Cursor Open in Claude

Fix the following security vulnerability found by Hacktron.

File: sfsd.html
Severity: high

Vulnerability: DOM-based Cross-Site Scripting (XSS) via insecure postMessage listener in sfsd.html

Description:
The `sfsd.html` file implements a `window.addEventListener('message', ...)` listener that fails to validate the `event.origin` of incoming messages. It then takes the `event.data` and directly assigns it to the `innerHTML` of the `div#output` element. This allows any malicious website to send a crafted `postMessage` to this page, leading to arbitrary JavaScript execution in the context of the page's origin. This is a clear DOM-based XSS vulnerability.

Proof of Concept:
1. Open `sfsd.html` in a browser.
2. In the console of a different origin (e.g., `example.com`), execute:
   window.opener.postMessage('<img src=x onerror=alert(document.domain)>', '*');
3. The alert will execute on the `sfsd.html` page.

Fix this vulnerability. Only change what's necessary - don't modify unrelated code.

Triage: Reply !fp <reason> (false positive), !valid (confirmed), or !accepted_risk <reason>. Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing. Any other reply is saved as a triage note.

View finding in Hacktron

@maekuss maekuss May 26, 2026

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hacktron-app-stg hacktron-app-stg[bot] hacktron-app-stg[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maekuss