Typescript Postmessage Wildcard Origin

Description

Detects unsafe usage of postMessage in TypeScript where a wildcard (*) origin is specified. This creates a security risk by allowing any domain to receive messages from the window, potentially enabling cross-site scripting or data theft attacks.

Weakness:

060 - Insecure service configuration - Host verification

Category: Functionality Abuse

Detection Strategy

• Look for window.postMessage() function calls in TypeScript code

• Check if the origin parameter is set to '*' (wildcard)

• Report a vulnerability if postMessage is used with wildcard origin since this allows messages to be received by any domain

Vulnerable code example

// Get reference to iframe element
var iframe = document.getElementById("myframe");

// Vulnerable: Using wildcard "*" allows any origin to receive the message
iframe.contentWindow.postMessage("sensitive_data", "*");

✅ Secure code example

// Get reference to iframe element
var iframe = document.getElementById("myframe");

// Safe: Explicitly specify trusted target origin instead of "*"
iframe.contentWindow.postMessage("sensitive_data", "https://trusted-domain.com"); // Restrict messages to specific origin

// Optional: Add message event listener with origin verification
window.addEventListener("message", function(event) {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.