-
Notice that the home page contains an event listener that listens for a web message. This event listener expects a string that is parsed using
JSON.parse(). In the JavaScript, we can see that the event listener expects atypeproperty and that theload-channelcase of theswitchstatement changes theiframe srcattribute. -
Go to the exploit server and add the following
iframeto the body, remembering to replaceYOUR-LAB-IDwith your lab ID:<iframe src=https://YOUR-LAB-ID.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'> - Store the exploit and deliver it to the victim.
When the iframe we constructed loads, the postMessage() method sends a web message to the home page with the type load-channel. The event listener receives the message and parses it using JSON.parse() before sending it to the switch.
The switch triggers the load-channel case, which assigns the url property of the message to the src attribute of the ACMEplayer.element iframe. However, in this case, the url property of the message actually contains our JavaScript payload.
As the second argument specifies that any targetOrigin is allowed for the web message, and the event handler does not contain any form of origin check, the payload is set as the src of the ACMEplayer.element iframe. The print() function is called when the victim loads the page in their browser.
