diff --git a/.gitbook/assets/image (617).png b/.gitbook/assets/image (617).png index 367ddebed..cac104ed8 100644 Binary files a/.gitbook/assets/image (617).png and b/.gitbook/assets/image (617).png differ diff --git a/.gitbook/assets/image (618).png b/.gitbook/assets/image (618).png new file mode 100644 index 000000000..367ddebed Binary files /dev/null and b/.gitbook/assets/image (618).png differ diff --git a/pentesting-web/postmessage-vulnerabilities.md b/pentesting-web/postmessage-vulnerabilities.md index 92cf4889f..24fbf491e 100644 --- a/pentesting-web/postmessage-vulnerabilities.md +++ b/pentesting-web/postmessage-vulnerabilities.md @@ -68,6 +68,10 @@ In order to **find event listeners** in the current page you can: ![](../.gitbook/assets/image%20%28616%29.png) +* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser + +![](../.gitbook/assets/image%20%28617%29.png) + * Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you. ### addEventListener check origin bypasses @@ -89,6 +93,18 @@ result.message; // "'"\" `File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function. +### X-Frame-Header bypass + +In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent** that **behaviour**. +In those scenarios you can still use a less stealthy attack. You can open a new tab to the vulnerable web application and communicate with it: + +```markup + +``` + ### postMessage to Prototype Pollution and/or XSS In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`. @@ -122,4 +138,5 @@ For **more information**: ## References * [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html) +* [https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd](https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd)