31 lines
1.8 KiB
Markdown
31 lines
1.8 KiB
Markdown
|
# PostMessage Vulnerabilities
|
||
|
|
||
|
## Tips/Bypasses in PostMessage vulnerabilities
|
||
|
|
||
|
Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
|
||
|
|
||
|
* If `indexOf()` is used to check the origin of the PostMessage event, remember that it can be bypassed if the origin is contained in the string as seen in [_The Bypass_](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html#bypass)
|
||
|
* [@filedescriptor](https://twitter.com/filedescriptor): Using `search()` to validate the origin could be insecure. According to the docs of `String.prototype.search()`, the method takes a regular repression object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.
|
||
|
|
||
|
```javascript
|
||
|
"https://www.safedomain.com".search(t.origin)
|
||
|
```
|
||
|
|
||
|
In regular expression, a dot \(.\) is treated as a wildcard. In other words, any character of the origin can be replaced with a dot. An attacker can take advantage of it and use a special domain instead of the official one to bypass the validation, such as **www.s.afedomain.com**.
|
||
|
|
||
|
* [@bored-engineer](https://bored.engineer/): If `escapeHtml` function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
|
||
|
|
||
|
```javascript
|
||
|
// Expected to fail:
|
||
|
result = u({
|
||
|
message: "'\"<b>\\"
|
||
|
});
|
||
|
result.message // "'"<b>\"
|
||
|
// Bypassed:
|
||
|
result = u(new Error("'\"<b>\\"));
|
||
|
result.message; // "'"<b>\"
|
||
|
```
|
||
|
|
||
|
`File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.
|
||
|
|