Magecart Attack Convincingly Hijacks PayPal Transactions at Checkout

Just in time for a busy online holiday shopping season, the Magecart gang has come up with a new credit-card skimming technique for hijacking PayPal transactions during checkout. A security researcher who identifies himself as Affable Kraut discovered the technique, which uses...

Lyst: DOM XSS on http://talks.lystit.com

Description DOM XSS can be achieved via a postMessage due to an insecure postMessage handler being registered. POC 1. Visit https://gamer7112.com/lyst1.html 2. Click the link 3. View alert Vulnerable Code Located at http://talks.lystit.com/data-saloon-presentation/plugin/notes/notes.html javascri...

BugPoC: DOM based Cross-site Scripting

Summary: The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities. Steps To Reproduce: Visit -...

BugPoC: Solution for XSS challenge calc.buggywebsite.com

Summary: http://calc.buggywebsite.com/ is a angular site designed as a calculator. After observing the source code , there is iframe frame.html with functionality of displaying the data of postmessage in the webpage. js window.addEventListener"message", receiveMessage, false; function...

BugPoC: XSS Challenge #2 Solution

Summary: An attacker can achieve arbitrary JavaScript execution in the context of the user's session on calc.buggywebsite.com. This is possible due to a weak origin check in the message event handler in http://calc.buggywebsite.com/frame.js as well as improper handling of the message data, allowi...

PlayStation: Reflected XSS on transact.playstation.com using postMessage from the opening window

Report Summary: When transact.playstation.com loads it handles messages received from postMessage in the receiveMessageFromTransactClientService method. The only validation that is performed is to ensure that the referrer and origin match: javascript receiveMessageFromTransactClientService:...

Shopify: xss on polaris.shopify.com/demo using postMessage

Description it's possible to run arbitrary js code using https://polaris.shopify.com/demo + postMessage following codes are from this file which formatted using prettier Demo component line 381 uses addEventListener to listen for message events line 401: js componentDidMount...

Lark Technologies: RPC Implementation allows unauthenticated remote calls

It was found that the RPC implementation via postMessage within Lark did not check origin, so an attacker could have potentially performed RPC calls on behalf of a user. We thank @mike12 for reporting this to our team and confirming the resolution...

Mail.ru: User session access due to Oauth whitelist host bypass and postMessage

A destination for postMessage was not properly restricted on connect.mail.ru allowing crossite access to session, as was shown for 3k.mail.ru application session. Both connect.mail.ru and 3k.mail.ru belong to Ext.B scope, this scope does not offer a bounty for attacks with clientside vectors on t...

Mail.ru: XSS on https://o2.mail.ru/jsapi/button via PostMessage

DOM XSS in PostMessage handler of o2.mail.ru...

Information Disclosure

cross-domain-local-storage-separately is vulnerable to information disclosure. The buildMessage function in xdLocalStorage.js allows the wildcard as the targetOrigin when calling the postMessage function on the iframe object, allowing any domains with iframe to accept requests from clients...

CVE-2020-11611

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

CVE-2020-11611

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

Design/Logic Flaw

An issue was discovered in xdLocalStorage through 2.0.5. The postData function in xdLocalStoragePostMessageApi.js specifies the wildcard as the targetOrigin when calling the postMessage function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and...

Design/Logic Flaw

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

CVE-2020-11610

CVE-2020-11610 affects xdLocalStorage up to version 2.0.5. The root cause is in the postData() function of xdLocalStoragePostMessageApi.js, which calls postMessage() on the parent with targetOrigin set to the wildcard (*) instead of a specific origin. This allows any domain to load the applicatio...

CVE-2020-11611

An issue was discovered in xdLocalStorage through 2.0.5. The buildMessage function in xdLocalStorage.js specifies the wildcard as the targetOrigin when calling the postMessage function on the iframe object. Therefore any domain that is currently loaded within the iframe can receive the messages...

PlayStation: Authorization Token on PlayStation Network Leaks via postMessage function

Description After some analysis on how playstation network authentication work, I came across a certain pattern of how authorization tokens are handled. The web application utilizes postMessage function to exchange authorization tokens between windows/frames. To simplify this, let's follow on one...

CVE-2020-8127

CVE-2020-8127 affects reveal.js 3.9.1 and earlier, where insufficient validation in cross-origin postMessage enables cross-site scripting. Impact is limited to affected reveal.js usage; exploits are not detailed here. Remediation: upgrade to reveal.js 3.9.2 or later. This vulnerability is confirm...

Node.js third-party modules: [reveal.js] XSS by calling arbitrary method via postMessage

I would like to report XSS in reveal.js It allows gaining access to the victim's account and performing actions on his behalf Module module name: reveal.js version: 3.8.0 npm page: https://www.npmjs.com/package/reveal.js Module Description A framework for easily creating beautiful presentations...