All news with #xss tag

postMessage Risks: Token Exposure and Trust Boundaries

🔒 MSRC presents a deep dive into misconfigured postMessage handlers across Microsoft services and the systemic risk posed by overly permissive trust models. The report, authored by Jhilakshi Sharma on August 25, 2025, documents token exfiltration, XSS, and cross-tenant impact in real-world case studies including Bing Travel, web.kusto.windows.net, and Teams apps. It summarizes mitigations such as removing vulnerable packages, tightening Teams app manifests, enforcing strict origin checks for postMessage, and applying CSP constraints to reduce attack surface.