Table of Contents

🕹 Game Answer

In the last issue, I added a poll about finding flawed postMessage origin checks. There were three options:

  • event.origin == “https://example.com”

  • event.origin == window.origin

  • /^https:\/\/example.com$/.test(event.origin)

The correct answer is the second one. Most voters marked the third option because of the regex that doesn't escape the dot. While the dot (.) matches any single character except for a newline, an issue I have exploited many times; in this case, it won't work.

Let’s go through each option briefly.

First Option

This is safe, and there isn't much to talk about it. Unless you have a browser 0day on how it parses the URL and extracts the origin, or if you can actually send a postmessage from the https://example.com origin, there's nothing much you could do about it.

Second Option

This is the flawed option. It turns out we can force both values to become null, resulting in the check null == null. We achieve this using the sandbox attribute of the iframe element. We need to frame both our malicious page (the sender) and the target page within sandboxed iframes.

Third Option

If we changed the regex from /^https:\/\/example.com$/ to /^https:\/\/subdomain.example.com$/, this would be a valid answer, as we could register subdomainxexample.com to achieve a bypass. However, that is not the case here, and unfortunately, we cannot register examplexcom. If we could, I would be filing many reports today.

Readings

Here are a few links I highly suggest you read to understand more about iframe and its quirks:

🔥 Top Picks

Antigravity Grounded! Security Vulnerabilities in Google's Latest IDE

If you're looking for an excellent blog on AI hacking, this is the one. EmbraceTheRed is outstanding. This post will give you a solid grasp of what AI hacking is, how it works, and its impacts.

Learning the Core of JavaScript from React

If you want a quick but intense ride through React internals, and even want to understand some past vulnerabilities, this is the one. I enjoy everything Huli posts and how deeply he dives into his research.

Did you know you can also submit content you think belongs on BugBountyDaily?

Submit Content

🕰 Old But Gold

Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals

Now, if you want a long and intense ride, this is the one. It's a three-part series on browser exploitation, and I can't say much other than you must read it to understand the beast of code we use and trust every day. I hope this excites people about finding bugs in it, because it's impossible for something this big not to have many.

Keep reading

No posts found

© 2026 Bug Bounty Daily.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv