diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md index 6e9b3a06547..0929162f25f 100644 --- a/src/pentesting-web/xss-cross-site-scripting/README.md +++ b/src/pentesting-web/xss-cross-site-scripting/README.md @@ -1644,6 +1644,35 @@ function handleResponse() { ``` +### PostMessage-origin script loaders (opener-gated) + +If a page **stores `event.origin` from a `postMessage` and later concatenates it into a script URL**, the sender controls the **origin** of the loaded JS: + +```javascript +window.addEventListener('message', (event) => { + if (event.data.msg_type === 'IWL_BOOTSTRAP') { + localStorage.setItem('CFG', {host: event.origin, pixelID: event.data.pixel_id}); + startIWL(); // later loads `${host}/sdk/${pixelID}/iwl.js` + } +}); +``` + +Exploitation recipe (from CAPIG): + +- **Gates**: fires only when `window.opener` exists and `pixel_id` is allowlisted; **origin is never checked**. +- **Use CSP-allowed origin**: pivot to a domain already permitted by the victim CSP (e.g., logged-out help pages allowing analytics like `*.THIRD-PARTY.com`) and host `/sdk//iwl.js` there via takeover/XSS/upload. +- **Restore `opener`**: in Android WebView, `window.name='x'; window.open(target,'x')` makes the page its own opener; send the malicious `postMessage` from a hijacked iframe. +- **Trigger**: the iframe posts `{msg_type:'IWL_BOOTSTRAP', pixel_id:}`; the parent then loads attacker `iwl.js` from the CSP-allowed origin and runs it. + +This turns origin-less `postMessage` validation into a **remote script loader primitive** that survives CSP if you can land on any origin already allowed by the policy. + +### Supply-chain stored XSS via backend JS concatenation + +When a backend **builds a shared SDK by concatenating JS strings with user-controlled values**, any quote/structure breaker can inject script that is served to every consumer: + +- Example pattern (Meta CAPIG): server appends `cbq.config.set("","IWLParameters",{params: });` directly into `capig-events.js`. +- Injecting `'` or `"]}` closes the literal/object and adds attacker JS, creating **stored XSS** in the distributed SDK for every site that loads it (first-party and third-party). + ### Abusing Service Workers @@ -2006,5 +2035,6 @@ other-js-tricks.md - [HackerOne Report #2902856 - Nextcloud Mail List-Unsubscribe SSRF](https://hackerone.com/reports/2902856) - [From "Low-Impact" RXSS to Credential Stealer: A JS-in-JS Walkthrough](https://r3verii.github.io/bugbounty/2025/08/25/rxss-credential-stealer.html) - [MDN eval()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) +- [CAPIG XSS: postMessage origin trust becomes a script loader + backend JS concatenation enables supply-chain stored XSS](https://ysamm.com/uncategorized/2026/01/13/capig-xss.html) {{#include ../../banners/hacktricks-training.md}}