Misunderstood browser APIs are often at the core of many web security issues. With the rapid expansion of web APIs, keeping up with security best practices can be challenging. In this post, we’ll explore a few common mistakes developers make that lead to modern XSS (Cross-Site Scripting) vulnerabilities. These insights stem from specific vulnerabilities we identified and responsibly disclosed to Replicate and ZoomInfo, which are now patched. The PostMessage API PostMessage is a web API that allows scripts from different origins to communicate with each other in a secure manner. However, this security relies heavily on developers implementing proper authorization checks. Unfortunately, it's all too common for developers to either overlook these checks or implement them incorrectly, leading to vulnerabilities such as XSS. Introduction ZoomInfo Chat (formerly InSent.AI) is a conversational marketing platform designed to enhance website engagement and lead generation. It offers real-time, personalized interactions with visitors through AI-driven chatbots and live chat. The Bug While testing a site that uses ZoomInfo Chat, we audited the post-message event handler code and noticed a straightforward DOM XSS vulnerability. However, exploiting it seemed impossible at first. Unlike the common case where developers forget to validate incoming messages altogether (as we discussed in our TikTok vulnerability blog post), ZoomInfo Chat decided to reinvent the way these messages should be…Read More