Skip to content

Create fsdvsdfv.html#64

Open
maekuss wants to merge 1 commit into
mainfrom
maekuss-patch-30
Open

Create fsdvsdfv.html#64
maekuss wants to merge 1 commit into
mainfrom
maekuss-patch-30

Conversation

@maekuss

@maekuss maekuss commented Jul 11, 2026

Copy link
Copy Markdown
Owner

No description provided.

@hacktron-app hacktron-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Severity Count
HIGH 1

View full scan results

Comment thread fsdvsdfv.html
Comment on lines +30 to +37
window.addEventListener('message', (event) => {
// Shows the origin but FAILS to validate it (critical bug)
document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;

// Dangerous sink: direct innerHTML assignment of untrusted data
const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
document.getElementById('output').innerHTML = incoming;
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH DOM-based Cross-Site Scripting (XSS) via Unvalidated postMessage Listener

The application registers a message event listener that does not validate the origin of incoming messages and directly renders the message payload into the DOM using the dangerous innerHTML sink.

An attacker can host a malicious website that opens testerror/fsdvsdfv.html in an iframe or popup and sends a crafted postMessage containing malicious HTML/JavaScript. Because there is no validation of event.origin and the payload is assigned directly to innerHTML without sanitization, this results in DOM-based Cross-Site Scripting (XSS). This allows the attacker to execute arbitrary JavaScript in the context of the domain hosting fsdvsdfv.html.

While this file is marked as a security demonstration, deploying it to any web-accessible environment exposes the hosting origin to cross-site scripting attacks, which can be used to access cookies, local storage, or perform actions on behalf of users on that same origin.

Steps to Reproduce
  1. Host the following HTML on an attacker-controlled domain (e.g., http://attacker.com):
<!DOCTYPE html>
<html>
<body>
  <script>
    const win = window.open('https://target-domain.com/testerror/fsdvsdfv.html');
    setTimeout(() => {
      win.postMessage('<img src=x onerror="alert(document.domain)">', '*');
    }, 1000);
  </script>
</body>
</html>
  1. Open the attacker's page in a browser.
  2. Observe that the target page at https://target-domain.com/testerror/fsdvsdfv.html is opened, and an alert dialog showing the target domain is triggered, demonstrating successful DOM-based Cross-Site Scripting (XSS).
Fix with AI

Open in Cursor Open in Claude

A security vulnerability was found by Hacktron.

File: fsdvsdfv.html
Lines: 30-37
Severity: high

Vulnerability: DOM-based Cross-Site Scripting (XSS) via Unvalidated postMessage Listener

Description:
The application registers a `message` event listener that does not validate the origin of incoming messages and directly renders the message payload into the DOM using the dangerous `innerHTML` sink. 

An attacker can host a malicious website that opens `testerror/fsdvsdfv.html` in an iframe or popup and sends a crafted `postMessage` containing malicious HTML/JavaScript. Because there is no validation of `event.origin` and the payload is assigned directly to `innerHTML` without sanitization, this results in DOM-based Cross-Site Scripting (XSS). This allows the attacker to execute arbitrary JavaScript in the context of the domain hosting `fsdvsdfv.html`.

While this file is marked as a security demonstration, deploying it to any web-accessible environment exposes the hosting origin to cross-site scripting attacks, which can be used to access cookies, local storage, or perform actions on behalf of users on that same origin.

Proof of Concept:
**Steps to Reproduce**

1. Host the following HTML on an attacker-controlled domain (e.g., http://attacker.com):
```html
<!DOCTYPE html>
<html>
<body>
  <script>
    const win = window.open('https://target-domain.com/testerror/fsdvsdfv.html');
    setTimeout(() => {
      win.postMessage('<img src=x onerror="alert(document.domain)">', '*');
    }, 1000);
  </script>
</body>
</html>
```
2. Open the attacker's page in a browser.
3. Observe that the target page at `https://target-domain.com/testerror/fsdvsdfv.html` is opened, and an alert dialog showing the target domain is triggered, demonstrating successful DOM-based Cross-Site Scripting (XSS).

Affected Code:
    window.addEventListener('message', (event) => {
      // Shows the origin but FAILS to validate it (critical bug)
      document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;

      // Dangerous sink: direct innerHTML assignment of untrusted data
      const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
      document.getElementById('output').innerHTML = incoming;
    });

Acceptance criteria:
- Acceptance is defined by the **actual reported behavior**, not by tests passing.
- Reproduce the issue, or narrow the exact code path that produces it, *before* changing code. State what you confirmed.
- Fix the underlying cause. Mitigations that paper over the reported behavior do not count as a fix.
- Add a regression test that fails on the unpatched code and passes on the fix. If a regression test is genuinely impractical (e.g. race condition, infra-level issue), say so and explain why.
- Existing tests passing is **not** the bar. Do not declare done on tests-pass theatre.

Only change what is necessary to fix this vulnerability. Do not refactor adjacent code or modify unrelated files.

Triage: Reply !fp <reason> (false positive), !valid (confirmed), !accepted_risk <reason>, or !fixed (resolved). Any other reply is saved as a triage note.
Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing.

View finding in Hacktron

@hacktron-app-stg hacktron-app-stg Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Severity Count
HIGH 1

View full scan results

Comment thread fsdvsdfv.html
Comment on lines +30 to +37
window.addEventListener('message', (event) => {
// Shows the origin but FAILS to validate it (critical bug)
document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;

// Dangerous sink: direct innerHTML assignment of untrusted data
const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
document.getElementById('output').innerHTML = incoming;
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HIGH DOM-based Cross-Site Scripting (XSS) via Unvalidated postMessage in fsdvsdfv.html

The newly introduced file fsdvsdfv.html registers a global message event listener that fails to validate the origin of incoming messages (event.origin). It then takes the untrusted message payload (event.data) and directly assigns it to the DOM using the dangerous innerHTML sink.

While this repository is structured as an educational sandbox to demonstrate insecure postMessage patterns, deploying this file to a web origin exposes that origin to DOM-based Cross-Site Scripting (XSS). An attacker hosting a malicious site can open this page (e.g., in an iframe or via window.open) and send a malicious payload containing executable HTML/JS, which will execute in the context of the vulnerable page's origin. This can lead to session hijacking, data theft, or unauthorized actions if other applications share the same origin.

Steps to Reproduce
  1. Host fsdvsdfv.html on a target origin (e.g., https://victim.example/fsdvsdfv.html).
  2. From an attacker-controlled origin, execute the following JavaScript:
const win = window.open('https://victim.example/fsdvsdfv.html');
setTimeout(() => {
  win.postMessage('<img src=x onerror="alert(document.domain)">', '*');
}, 1000);
  1. The script executes the injected payload in the victim's origin context.
Fix with AI

Open in Cursor Open in Claude

A security vulnerability was found by Hacktron.

File: fsdvsdfv.html
Lines: 30-37
Severity: high

Vulnerability: DOM-based Cross-Site Scripting (XSS) via Unvalidated postMessage in fsdvsdfv.html

Description:
The newly introduced file `fsdvsdfv.html` registers a global `message` event listener that fails to validate the origin of incoming messages (`event.origin`). It then takes the untrusted message payload (`event.data`) and directly assigns it to the DOM using the dangerous `innerHTML` sink. 

While this repository is structured as an educational sandbox to demonstrate insecure `postMessage` patterns, deploying this file to a web origin exposes that origin to DOM-based Cross-Site Scripting (XSS). An attacker hosting a malicious site can open this page (e.g., in an iframe or via `window.open`) and send a malicious payload containing executable HTML/JS, which will execute in the context of the vulnerable page's origin. This can lead to session hijacking, data theft, or unauthorized actions if other applications share the same origin.

Proof of Concept:
1. Host `fsdvsdfv.html` on a target origin (e.g., `https://victim.example/fsdvsdfv.html`).
2. From an attacker-controlled origin, execute the following JavaScript:
```javascript
const win = window.open('https://victim.example/fsdvsdfv.html');
setTimeout(() => {
  win.postMessage('<img src=x onerror="alert(document.domain)">', '*');
}, 1000);
```
3. The script executes the injected payload in the victim's origin context.

Affected Code:
    window.addEventListener('message', (event) => {
      // Shows the origin but FAILS to validate it (critical bug)
      document.getElementById('origin').textContent = 'Last message origin: ' + event.origin;

      // Dangerous sink: direct innerHTML assignment of untrusted data
      const incoming = typeof event.data === 'string' ? event.data : JSON.stringify(event.data);
      document.getElementById('output').innerHTML = incoming;
    });

Acceptance criteria:
- Acceptance is defined by the **actual reported behavior**, not by tests passing.
- Reproduce the issue, or narrow the exact code path that produces it, *before* changing code. State what you confirmed.
- Fix the underlying cause. Mitigations that paper over the reported behavior do not count as a fix.
- Add a regression test that fails on the unpatched code and passes on the fix. If a regression test is genuinely impractical (e.g. race condition, infra-level issue), say so and explain why.
- Existing tests passing is **not** the bar. Do not declare done on tests-pass theatre.

Only change what is necessary to fix this vulnerability. Do not refactor adjacent code or modify unrelated files.

Triage: Reply !fp <reason> (false positive), !valid (confirmed), !accepted_risk <reason>, or !fixed (resolved). Any other reply is saved as a triage note.
Reason is optional but improves future scans — e.g. !fp internal endpoint, not user-facing.

View finding in Hacktron

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant