Typescript Insecure Postmessage Wildcard

Description

Detects insecure usage of postMessage API where a wildcard (*) is used as the targetOrigin parameter. This configuration allows messages to be sent to any domain, potentially exposing sensitive data to malicious sites that could intercept the communication.

Weakness:

060 - Insecure service configuration - Host verification

Category: Functionality Abuse

Detection Strategy

• Check for postMessage function calls in TypeScript/JavaScript code

• Identify if the targetOrigin parameter is set to '*' (wildcard)

• Flag cases where wildcard origin is used since it allows sending messages to any domain

Vulnerable code example

const popup = window.open('about:blank');

// Sensitive data that should not be exposed
const secretToken = 'xyz-123-SECRET-TOKEN';

function sendSensitiveData() {
    if (popup) {
        // VULNERABLE: Using wildcard '*' allows any origin to receive the sensitive data...

✅ Secure code example

const TRUSTED_ORIGIN = 'https://trusted-domain.com'; // Specify exact trusted origin
const popup = window.open('about:blank');

// Store sensitive data securely
const secretToken = 'xyz-123-SECRET-TOKEN';

function sendSensitiveData() {
    if (popup) {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.