javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration

profile photo of semgrepsemgrep
Author
4,575
Download Count*
LGPL Commons Clause
License

The target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: wildcard-postmessage-configuration
    message: The target origin of the window.postMessage() API is set to "*". This
      could allow for information disclosure due to the possibility of any
      origin allowed to receive the message.
    metadata:
      owasp:
        - A08:2021 - Software and Data Integrity Failures
      cwe:
        - "CWE-345: Insufficient Verification of Data Authenticity"
      category: security
      technology:
        - browser
      subcategory:
        - audit
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      references:
        - https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - javascript
      - typescript
    severity: WARNING
    pattern: $OBJECT.postMessage(...,'*')

Examples

wildcard-postmessage-configuration.js

let data={pName : "Bob", pAge: "35"};
var popup = window.open(/* popup details */);

//ruleid:wildcard-postmessage-configuration
popup.postMessage(data, '*');
//ruleid:wildcard-postmessage-configuration
popup.postMessage( JSON.stringify( data ), '*' );

//postMessage Safe Usage
popup.postMessage("hello there!", "http://domain.tld");
popup.postMessage( JSON.stringify( data ), 'semgrep.dev/editor');