GitBook: [master] one page and 2 assets modified

pentesting-web/postmessage-vulnerabilities.md

@@ -68,6 +68,10 @@ In order to **find event listeners** in the current page you can:
 
 ![](../.gitbook/assets/image%20%28616%29.png)
 
+* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
+
+![](../.gitbook/assets/image%20%28617%29.png)
+
 * Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
 
 ### addEventListener check origin bypasses
@@ -89,6 +93,18 @@ result.message; // "'"<b>\"
 
 `File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.
 
+### X-Frame-Header bypass
+
+In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent** that **behaviour**.  
+In those scenarios you can still use a less stealthy attack. You can open a new tab to the vulnerable web application and communicate with it:
+
+```markup
+<script>
+var w=window.open("<url>")
+setTimeout(function(){w.postMessage('text here','*');}, 2000);
+</script>
+```
+
 ### postMessage to Prototype Pollution and/or XSS
 
 In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`.
@@ -122,4 +138,5 @@ For **more information**:
 ## References
 
 * [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
+* [https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd](https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd)