Blog Archive

Discovering DOM-Based XSS on DeepSeek.com via postMessage Exploitation

While testing https://chat.deepseek.com, I found a DOM XSS vulnerability in the postMessage handler. The function lacked origin validation, allowing arbitrary HTML injection. Using a payload like <script>alert(origin)</script>, I demonstrated the exploit. This highlights critical security risks when message origins aren't properly validated.

How I found DOM XSS via postMessage on Bing.com - Microsoft Bug Bounty

The website Bing.com has message event listeners. I found a feature that listens for postMessage with two arguments to update the User header bar with the user's points badge. The following are the steps I took to find the DOM XSS.