postMessage() IV

Bookmarked!

This exercise covers how insecure calls to the JavaScript function postMessage() can be used to leak sensitive information when a listener does not filter the Origin and X-Frame-Options is used

PRO Medium < 1 Hr. 986 Orange Badge

Course

This course details the exploitation of an application using <code>addEventListener()</code> without verifying the origin of the message. By leveraging this vulnerability, you can get an administrator to leak confidential information via the "Sharing" functionality.

Skills covered

Injection Authentication Client Side Operating System Network

Included with PRO

Full course content 1 video Common mistakes

Ready to practice?

Get access to this lab and 600+ hands-on exercises with a PRO subscription.

Go PRO or create a free account