Add insecure postMessage example in test11.html

[maekuss]

This HTML file demonstrates an insecure postMessage implementation that lacks origin validation, allowing for potential DOM injection vulnerabilities.

[hacktron-app]

1 issue found across 1 file

Severity	Count
	1

View full scan results

[hacktron-app]

DOM-based Cross-Site Scripting (XSS) via Insecure postMessage Listener

The file test11.html contains an insecure message event listener that does not validate the event.origin and directly injects event.data into the DOM using innerHTML. This allows any external window or iframe to send a crafted postMessage containing malicious HTML or JavaScript, which will be executed in the context of the vulnerable page.

Steps to Reproduce

1. Open test11.html in a browser.
2. Open a different-origin tab (e.g., example.com).
3. In the console of the attacker tab, execute:

   window.opener.postMessage('<img src=x onerror=alert("XSS")>', '*');

4. The alert will trigger on the test11.html page.

Fix with AI

A security vulnerability was found by Hacktron.

File: test11.html
Severity: high

Vulnerability: DOM-based Cross-Site Scripting (XSS) via Insecure postMessage Listener

Description:
The file `test11.html` contains an insecure `message` event listener that does not validate the `event.origin` and directly injects `event.data` into the DOM using `innerHTML`. This allows any external window or iframe to send a crafted `postMessage` containing malicious HTML or JavaScript, which will be executed in the context of the vulnerable page.

Proof of Concept:
**Steps to Reproduce**

1. Open `test11.html` in a browser.
2. Open a different-origin tab (e.g., `example.com`).
3. In the console of the attacker tab, execute:
   ```javascript
   window.opener.postMessage('<img src=x onerror=alert("XSS")>', '*');
   ```
4. The alert will trigger on the `test11.html` page.

Affected Code:
window.addEventListener('message', (event) => {
  // Shows the origin but FAILS to validate it (critical bug)
  document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;

  // Dangerous sink: direct innerHTML assignment of untrusted data
  const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
  document.getElementById('output').innerHTML = incoming;
});

Acceptance criteria:
- Acceptance is defined by the **actual reported behavior**, not by tests passing.
- Reproduce the issue, or narrow the exact code path that produces it, *before* changing code. State what you confirmed.
- Fix the underlying cause. Mitigations that paper over the reported behavior do not count as a fix.
- Add a regression test that fails on the unpatched code and passes on the fix. If a regression test is genuinely impractical (e.g. race condition, infra-level issue), say so and explain why.
- Existing tests passing is **not** the bar. Do not declare done on tests-pass theatre.

Only change what is necessary to fix this vulnerability. Do not refactor adjacent code or modify unrelated files.

---

_{Triage: Reply !fp <reason> (false positive), !valid (confirmed), or !accepted_risk <reason>. Any other reply is saved as a triage note.
Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing.}

_{View finding in Hacktron}