Javascript Message Event Unvalidated Origin
Description
Detects JavaScript/JSX code that implements message event listeners without proper origin validation. This vulnerability could allow cross-origin messaging attacks where malicious websites send unauthorized messages that are processed by the application.
Detection Strategy
• 1. Identifies message event listener registrations in JavaScript/JSX code
• 2. Examines event listener callback functions for origin validation logic
• 3. Reports a vulnerability if the message event handler processes data without validating the sender's origin
• 4. Specifically looks for patterns where 'message' or 'onmessage' events are used without corresponding origin checks
Vulnerable code example
// Vulnerable postMessage event handler without origin validation
window.addEventListener('message', function handleEvents(e) {
// VULNERABLE: No origin check allows processing messages from any domain
switch (e.data.eventName) {
case 'vtex:promoView': {
const dataEvent = e.data.promotions;
window.dataLayer.push({
event: 'view_promotion',...✅ Secure code example
// Define allowed origins that can send messages
const ALLOWED_ORIGINS = ['https://trusted-domain.com', 'https://other-trusted.com'];
// Only add event listener if we're in browser context
if (typeof window !== 'undefined') {
window.addEventListener('message', function handleEvents(e) {
// Check if origin is in our allowlist before processing message
if (!ALLOWED_ORIGINS.includes(e.origin)) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.