Learn & practice AWS Hacking:<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">\
Learn & practice GCP Hacking: <imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">](https://training.hacktricks.xyz/courses/grte)
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
Kulingana na hii [**Terjanq writeup**](https://gist.github.com/terjanq/7c1a71b83db5e02253c218765f96a710) hati, nyaraka zilizoundwa kutoka kwa asili za null zimewekwa mbali kwa faida za usalama, ambayo inamaanisha kwamba ikiwa utaendelea kuifanya ukurasa mkuu kuwa na shughuli, ukurasa wa iframe utaanzishwa.
Kimsingi katika changamoto hiyo **iframe iliyotengwa inatekelezwa** na mara **baada** ya **kupakuliwa** ukurasa wa **mzazi** uta **tuma ujumbe wa post** na **bendera**.\
Hata hivyo, mawasiliano ya postmessage hiyo ni **hatari kwa XSS** (**iframe** inaweza kutekeleza msimbo wa JS).
Kwa hivyo, lengo la mshambuliaji ni **kuruhusu mzazi kuunda iframe**, lakini **kabla** ya kuruhusu ukurasa wa **mzazi****kutuma** data nyeti (**bendera**) **uweke busy** na kutuma **payload kwa iframe**. Wakati **mzazi yuko busy****iframe inatekeleza payload** ambayo itakuwa baadhi ya JS itakayokuwa inasikiliza ujumbe wa **postmessage wa mzazi na kuvuja bendera**.\
Hatimaye, iframe imekamilisha payload na ukurasa wa mzazi unakoma kuwa na shughuli, hivyo inatuma bendera na payload inavuja.
Lakini ungeweza vipi kufanya mzazi kuwa **busy mara tu baada ya kuunda iframe na wakati tu inasubiri iframe iwe tayari kutuma data nyeti?** Kimsingi, unahitaji kutafuta **kitendo** cha **async** ambacho unaweza kufanya mzazi **atekeleze**. Kwa mfano, katika changamoto hiyo mzazi alikuwa **akisikiliza****postmessages** kama hii:
hivyo ilikuwa inawezekana kutuma **nambari kubwa katika postmessage** ambayo itakuwa **imebadilishwa kuwa mfuatano** katika kulinganisha hiyo, ambayo itachukua muda:
Na ili kuwa sahihi na **kutuma** hiyo **postmessage** mara tu **iframe** inaundwa lakini **kabla** haijawa **tayari** kupokea data kutoka kwa mzazi, utahitaji **kucheza na milisekunde za `setTimeout`**.
{% hint style="success" %}
Learn & practice AWS Hacking:<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">\
Learn & practice GCP Hacking: <imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">](https://training.hacktricks.xyz/courses/grte)
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
