PostMessage
Writeups
https://labs.detectify.com/security-guidance/the-pitfalls-of-postmessage/ https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage https://trustfoundry.net/2024/07/30/a-quick-introduction-to-postmessage-xss/ https://www.yeswehack.com/learn-bug-bounty/introduction-postmessage-vulnerabilities https://hackerone.com/reports/900619 https://book.hacktricks.xyz/pentesting-web/postmessage-vulnerabilities https://hackerone.com/reports/231053 https://hackerone.com/reports/576532 https://hackerone.com/reports/1567186 https://hackerone.com/reports/1031644 https://hackerone.com/reports/217745 https://hackerone.com/reports/423218 https://rhynorater.github.io/postMessage-Braindump https://vinothkumar.me/20000-facebook-dom-xss/ https://ndevtk.github.io/writeups/2023/08/18/extensions/ https://web.archive.org/web/20211016075506/https://insight.claranet.co.uk/technical-blogs/hunting-postmessage-vulnerabilities https://medium.com/bored-engineer/xss-on-account-leagueoflegends-com-via-easyxdm-2016-75bcf9d582b5
Videos
https://www.youtube.com/watch?v=dCco6bZhUd0 https://youtu.be/6731qvqBlCE?t=2435 https://www.youtube.com/watch?v=KGsktwaxsKU
Extension
https://github.com/fransr/postMessage-tracker
Labs
https://html5.digi.ninja/ https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-json-parse
Credits: https://x.com/Heli__9