Javascript Postmessage Wildcard Origin

Description

Detects when JavaScript postMessage() is configured to accept messages from any origin using wildcard (*) targeting. This creates a security vulnerability where malicious websites can send arbitrary messages to the application, potentially leading to cross-origin attacks.

Weakness:

060 - Insecure service configuration - Host verification

Category: Functionality Abuse

Detection Strategy

• Identifies JavaScript code that uses window.postMessage() or postMessage() functions

• Checks if the targetOrigin parameter is set to '*' which allows messages from any domain

• Reports vulnerability when postMessage is configured with wildcard origin instead of specific trusted domains

Vulnerable code example

// Get reference to iframe element
const iframe = document.getElementById('myframe');

// Vulnerable: Using wildcard (*) allows any origin to receive the message
iframe.contentWindow.postMessage('sensitive-data', '*');  // Using * is unsafe - allows any website to intercept messages

✅ Secure code example

// Get reference to iframe element
const iframe = document.getElementById('myframe');

// Safe: Specify exact target origin instead of wildcard
iframe.contentWindow.postMessage('sensitive-data', 'https://trusted-domain.com');  // Only this specific origin can receive messages

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.