Typescript Message Event Unvalidated Origin
Description
Detects message event listeners that do not properly validate the origin of received messages. This vulnerability could allow malicious websites to send cross-origin messages that get processed by the application, potentially leading to data leaks or manipulation of application state.
Detection Strategy
• Identifies message event listener declarations in TypeScript/JavaScript code
• Checks if the event listener callback function includes origin validation of the event.origin property
• Reports a vulnerability when a message event listener is found without proper origin validation checks
• Specifically looks for patterns where addEventListener('message', ...) or window.onmessage is used without corresponding origin verification
Vulnerable code example
import React from "react";
export const VulnerableComponent = (): React.JSX.Element => {
let messageData = "";
window.addEventListener("message", (event: MessageEvent): void => {
// Vulnerable: No origin check before processing message data
messageData = event.data.payload;...✅ Secure code example
import React, { useState } from "react";
// Define allowed origins that can send messages to this component
const ALLOWED_ORIGINS = ["https://trusted-domain.com"];
export const SecureComponent = (): React.JSX.Element => {
const [messageData, setMessageData] = useState("");
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.