id: postmessage-outgoing-tracker

info:
  name: Postmessage Outgoing Tracker
  author: LogicalHunter
  severity: info
  reference:
    - https://appcheck-ng.com/html5-cross-document-messaging-vulnerabilities/
  tags: headless,postmessage

headless:
  - steps:
      - action: setheader
        args:
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"

      - action: script
        args:
          hook: true
          code: |
            () => {
              window.alerts = [];

              logger = found => window.alerts.push(found);

              function getStackTrace() {
                var stack;
                try {
                  throw new Error('');
                } catch (error) {
                  stack = error.stack || '';
                }

                stack = stack.split('\n').map(line => line.trim());
                return stack.splice(stack[0] == 'Error' ? 2 : 1);
              }

              var oldSender = window.postMessage;

              window.postMessage = (data, origin) => {
                if (origin == '*') {
                  logger({stack: getStackTrace(), args: {data, origin}});
                  return oldSender.apply(this, arguments);
                }
              };
            }

      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload

      - action: script
        name: alerts
        args:
          code: |
            () => { window.alerts }

    matchers:
      - type: word
        part: alerts
        words:
          - "at window.postMessage"

    extractors:
      - type: kval
        part: alerts
        kval:
          - alerts
# digest: 4a0a0047304502210087bf38a3b7ff49f3d2bb711691f3d2ca8d4d0c85403389cbf5b606ca0451d79202200ed2e0f54b4c713ae68f7401dcf1b9734dbda678ad44812e61b69cbae16ecf67:922c64590222798bb761d5b6d8e72950