semgrep.dev
Open in
urlscan Pro
54.203.137.166
Public Scan
Submitted URL: https://sg.run/PJ4p
Effective URL: https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configurat...
Submission: On June 05 via manual from RU — Scanned from DE
Effective URL: https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configurat...
Submission: On June 05 via manual from RU — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
You need to enable JavaScript to run this app.
Registry
Playground
Products
Pricing
Docs
Sign in / Sign up free
ExploreSearch
Contribute to Registry
Language
Category
Technology
OWASP
Severity
Visibility
Rules (1)
Sorted by relevance
Use in CI
javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration
warning
The target origin of the window.postMessage() API is set to "*". This could
allow for information disclosure due to the possibility of any origin allowed to
receive the message.
by r2c
Run locally
Use in CI
•
Tag - sha256:62cb1efccde41866c23d098b95b1d6292b296c10de19a93d837f85910118e79f
RULE
Expand rule
rules:
- id: wildcard-postmessage-configuration
message: The target origin of the window.postMessage() API is set to "*". This
could allow for information disclosure due to the possibility of any
origin allowed to receive the message.
metadata:
owasp:
- A08:2021 - Software and Data Integrity Failures
cwe:
TEST CODE
1
2
3
4
5
6
7
8
9
let data={pName : "Bob", pAge: "35"};
var popup = window.open(/* popup details */);
//ruleid:wildcard-postmessage-configuration
popup.postMessage(data, '*');
//ruleid:wildcard-postmessage-configuration
popup.postMessage( JSON.stringify( data ), '*' );
//postMessage Safe Usage
Run
[0] Source for rule[1]
https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures
License: Commons Clause License Condition v1.0[LGPL-2.1-only]
See less
1