id: postmessage-tracker

info:
  name: Postmessage Tracker
  author: pdteam
  severity: info
  reference:
    - https://github.com/vinothsparrow/iframe-broker/blob/main/static/script.js
  tags: headless,postmessage

headless:
  - steps:
      - action: setheader
        args:
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"

      - action: script
        args:
          hook: true
          code: |
            () => {
              window.alerts = [];

              logger = found => window.alerts.push(found);

              function getStackTrace() {
                var stack;
                try {
                  throw new Error('');
                } catch (error) {
                  stack = error.stack || '';
                }

                stack = stack.split('\n').map(line => line.trim());
                return stack.splice(stack[0] == 'Error' ? 2 : 1);
              }

              var oldListener = Window.prototype.addEventListener;

              Window.prototype.addEventListener = (type, listener, useCapture) => {
                if (type === 'message') {
                  logger(getStackTrace());
                }
                return oldListener.apply(this, arguments);
              };
            }

      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload

      - action: script
        name: alerts
        args:
          code: |
            () => { window.alerts }

    matchers:
      - type: word
        part: alerts
        words:
          - "at Window.addEventListener"

    extractors:
      - type: kval
        part: alerts
        kval:
          - alerts
# digest: 4a0a00473045022026d75fde386aa9a4f2a268d9f5b9971d48807190e7d3d961dca15734a8621ed9022100ca718904989421c9c59a406522953910f302ad61f32b9d969983d533edfd3bd5:922c64590222798bb761d5b6d8e72950