Missing origin check in message handler

Overview

• Rule ID: javascript_lang_message_handler_origin

• Applicable Languages: Javascript

• Weakness ID: CWE-346

Description

Not verifying the origin of message events can make your application vulnerable to Cross-Site Scripting (XSS) attacks. This vulnerability occurs when an application processes messages without ensuring they come from a trusted source.

Remediation Guidelines

• Avoid adding message event listeners without verifying the origin of the messages, as this can expose your application to malicious inputs. For example:

  Copy

  window.addEventListener('message', (event) => {
    actOnMessage(event.data) // unsafe
  });
  

• Instead, validate the origin of incoming messages before processing them. Confirm that the message comes from a trusted source by checking the event's origin against a predefined list of allowed origins.

  Copy

  window.addEventListener('message', (event) => {
    if (event.origin != 'https://myapp.example.com') {
      throw new Error('invalid origin')
    }
  
    actOnMessage(event.data)
  })

References

• OWASP Cross-Site Scripting (XSS) Cheatsheet

• CWE-346: Origin Validation Error

• OWASP Top 10: A07:2021 - Identification and Authentication Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL