Upserve : DOM Based XSS via postMessage at https://inventory.upserve.com/login/

Description DOM based XSS is possible at https://inventory.upserve.com/login/ due to insecure origin checking when receiving a postMessage. POC 1. Visit https://hq.upserve.com.████████/upservexss.html 2. Click link 3. View alert on https://inventory.upserve.com Vulnerable Code javascript...

Mail.ru: [XSS] postMessage в jsapi/button

XSS via postMessage handler in o2.mail.ru...

Shopify: H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps

Description: The /:id/sandbox/googlemaps and /:id/sandbox/googleautocomplete routes on checkout.shopify.com are used to render the Google Map on the "Order Status" page as well as the address prediction on checkout pages. The page performs origin validation on incoming postMessages making sure th...

HackerOne: Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com

Hi, I made a talk earlier this month about Client-Side Race Conditions for postMessage on AppSecEU: https://speakerdeck.com/fransrosen/owasp-appseceu-2018-attacking-modern-web-technologies In this talk I mention some fun ways to race postMessages from a malicious origin before the legit source...

Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected)

Summary Due to a lack of proper origin checks in the message passing from regular web pages, any arbitrary web page is able to call privileged background page APIs for the Read&Write Chrome extension vulnerable version 1.8.0.139. Many of these APIs allow for dangerous actions which are not meant ...

Mail.ru: easyXDM allows cross domain postmessaging with any origin, leaking sensitive info

Mail.Ru Agent uses easyXDM library for crossdomain communication between different mail.ru messaging systems. For modern browsers postMessage is used inside. The security issue was because of lacking ACL for domains. So malicious man could in some circumstances he should know victim's email, forc...

Mail.ru: XSS on e.mail.ru via postMessage

URI Get parameters based XSS in https://e.mail.ru/cgi-bin/login via combination of factors controllable script name via NUL characters inection, availability of script with known vulnerability within domain...

Mail.ru: XSS on https://account.mail.ru/login via postMessage

Обработчик сообщений на страничке https://account.mail.ru/login не проверяет источник, что позволяет вызвать любую доступную команду с произвольного ресурса: js // https://img.imgsmail.ru/ag/0.3.3/authGate.js:formatted function ca a = a || window.event; var c, d, h = , i = a.data, j = a.source; i...

Analysis Firefox the shared array buffer of the UAF exploit-vulnerability warning-the black bar safety net

This article explores the structured cloning algorithm to handle the shared array buffer occurs when a reference leakage problems. While the lack of overflow checking, can be exploited to execute arbitrary code. Is divided into the following sections: Background, vulnerability, summary We exploit...

Shopify: XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"

Description The /:id/digitalwallets/dialog endpoint is used to display a small dialog box relating to the "digital wallets" functionality on a shop. The endpoint includes a script that listens for postMessages without validating the origin of messages. However, the impact of the missing validatio...

PostMessage cross-domain vulnerability-vulnerability warning-the black bar safety net

Note: this article is“millet Security Center”original, reprint please contact the“millet Security Center” Background Value: $3000 Vulnerability cause: postMessage cross-domain vulnerabilities to cause, the use of the websocket receives a user authentication token Original address:...

Slack: Bypass to postMessage origin validation via FTP

@a1kmm- discovered a bypass to our postMessage origin check, wherein an attacker with existing MITM capabilities could use FTP to bypass validation and view XOXS tokens of victims on the local network. This was related to, and investigated at the same time as, a previous report. This issue is now...

Slack: Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain

@fransrosen discovered a vulnerability which would allow an attacker running a malicious site to steal XOXS tokens. We resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited. Thanks @fransrosen for an interesti...

HackerOne: Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP

Hi, I just discovered that there's a scenario where the Marketo Forms solution being used on www.hackerone.com can actually be abused, using a few fun techniques, to trigger an XSS in the Cross-Origin-iframe being used by Marketo. This results in eavesdropping of the data being sent in the...

Popular applications AddThis presence postMessage XSS vulnerability million sites are affected-vulnerability warning-the black bar safety net

AddThis is a paragraph with more than one million users use the web pages Share button. In the earlier this year is found to existXSSvulnerabilities. In a previous article has described the postMessage API defects. And this article will describe how I identified and then use the AddThis Share...

Google Chrome Blink Serializer::doSerialize Bad Cast

Throughout November, I plan to release details on vulnerabilities I found in web-browsers which I've not released before. This is the ninth entry in that series, and the first to not target a Microsoft browser. The below information is available in more detail on my blog at...

Ebay Cross Site Scripting

Hello all, Description: Persistent DOM based Cross Site Scripting on ebay.com domain. Disclosed to Ebay: January 2015 Fixed: February 2016 Vulnerability location: Every listing Who are able to create: Sellers Same origin policy bypass via postMessage Write-up:...

X (Formerly Twitter): XSS platform.twitter.com

Since you have fixed a few problems with the FlashTransport on platform.twitter.com already, I though I would also take a look at the JavaScript around it. Problem URL: https://platform.twitter.com/widgets/hub.html Description: The mentioned page opens URLs send to it via postMessage or...

Windows 2000/XP/2003 win32k.sys SfnINSTRING local kernel Denial of Service Vulnerability

No description provided by source. / Windows 2000/XP/2003 win32k.sys SfnINSTRING local kernel Denial of Service Vulnerability Effect : Microsoft Windows 2000/XP/2003 full patch Author:MJ0011 Published: 2010-04-22 Vulnerability Details: Win32k.sys in DispatchMessage when the last call to...

CVE-2014-1346

WebKit, as used in Apple Safari before 6.1.4 and 7.x before 7.0.4, does not properly interpret Unicode encoding, which allows remote attackers to spoof a postMessage origin, and bypass intended restrictions on sending a message to a connected frame or window, via crafted characters in a URL...