Booksy PostMessage Origin Bypass PoC
Origin:
— matches regex
booksy.(com|net|pm)$
Steal Access Token (GET_IDENTITY)
Session Fixation (SET_IDENTITY)
Session Destruction (CLEAR_IDENTITY)
Result
Click a button above...
Stolen Access Token
(none yet)
Technical Details
Origin: https://xbooksy.com Gateway regex: /booksy\.(com|net|pm)$/ Match test: "https://xbooksy.com".match(/booksy\.(com|net|pm)$/) → TRUE (bypass!) The regex is unanchored — missing a dot before "booksy". Fix: /\.booksy\.(com|net|pm)$/