Javascript Insecure Postmessage Wildcard
Description
Detects when JavaScript's window.postMessage() method is configured with wildcard origin ('*') which allows any website to send messages to the window. This creates a security risk as malicious sites can inject arbitrary messages that your code will process, potentially leading to XSS or data theft.
Detection Strategy
• Look for postMessage() function calls in JavaScript code
• Check if the targetOrigin parameter is set to '*' (wildcard)
• Report vulnerability when wildcard origin is used instead of specific origins
Vulnerable code example
const popup = window.open('about:blank');
// SOURCE: Sensitive data that should not be exposed
const secretKey = 'xyz-secret-123';
// SINK: Vulnerable due to '*' allowing any origin to receive the sensitive data
popup.postMessage(secretKey, '*'); // Unsafe: wildcard origin allows data theft✅ Secure code example
// Define specific trusted origin instead of allowing any origin
const trustedOrigin = 'https://trusted-domain.com';
const popup = window.open('about:blank');
const secretKey = 'xyz-secret-123';
// SECURE: Specify exact origin instead of '*' to prevent data exposure
popup.postMessage(secretKey, trustedOrigin);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.