| Details | |
|---|---|
| Alert ID | 220008-2 |
| Alert Type | Tool |
| Status | alpha |
| Risk | Medium |
| CWE | 346 |
| WASC | |
| Technologies Targeted | All |
| Tags |
CWE-346 OWASP_2021_A05 OWASP_2025_A02 TOOL_PTK |
Summary
Detects unsafe postMessage usage and message event handling issues (missing origin validation, wildcard targetOrigin, tainted data flowing into DOM/code sinks).
Generated by OWASP PTK SAST Module
Solution
• Always specify an exact targetOrigin and validate event.origin against a strict allow-list (exact match) before trusting event.data. • Sanitize or validate structured payloads before invoking DOM APIs or dynamic execution sinks. • Avoid propagating messages into navigation, cookie, or script sinks without proper verification.Other Info
References
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/11-Testing_Web_Messaging
- https://cwe.mitre.org/data/definitions/346.html