Overview

• The script intercepts the native postMessage API at runtime, acting as a proxy that logs all incoming and outgoing traffic while flagging specific high-risk payloads.
• To achieve this without compromising the application's state, it preserves a reference to the original window.postMessage method and replaces the global handler with a custom wrapper.
• Outgoing calls pass through this wrapper, logging the target origin and payload before delegating execution back to the native function using Function.prototype.call.
• For incoming traffic, an event listener is added during the capture phase, ensuring interception before any application-level handlers can process or modify the event.

Detection Signatures

• The logging alone provides necessary visibility into the message bus, but I built specific heuristics into the script to identify actionable vulnerabilities.
• For outbound traffic, the interceptor inspects string payloads for the presence of access_token being transmitted to an explicit target origin.
• On the inbound side, it evaluates cross origin events for a specific DOM injection pattern: a payload containing a type property set to render accompanied by an html string.
• When either condition triggers, the script logs a true positive and sets an internal flag indicating sensitive data disclosure.

Use

• You can inject this snippet directly into the browser console or bundle it into your client-side testing suite before the target application initializes its own message handlers.
• Because it modifies the global window object, you must deploy it early in the page lifecycle to ensure it wraps the API before any other scripts establish their listeners.

Limitations

• Keep in mind this is strictly a diagnostic tool rather than a defensive control.
• It exposes the vulnerability by observing the message payload, but it does not block the transmission or prevent the resulting DOM mutation.
• Furthermore, relying on basic string matching for tokens means obfuscated payloads might bypass the outbound check.
• though the structural check for DOM injection remains reliable against standard postMessage-based cross-site scripting vectors.

Disclaimer

• Use only in environments where you have authorization. The author is not responsible for the illegal use of this script.