Course

In this course, you will learn how to exploit an application that improperly uses `addEventListener()` without checking the origin of the message. This flaw allows an attacker to manipulate the `postMessage()` function to extract sensitive information. The exercise is based on well-documented security weaknesses and real-world examples of `postMessage` issues.

The practical part of the course involves creating a malicious HTML page that opens the vulnerable application using `window.open()`. This method circumvents the restrictions imposed by `X-Frame-Options`. By doing so, you can craft a malicious `postMessage` that tricks the application into sharing confidential data, which the administrator unknowingly leaks. This exercise is designed to help you understand the importance of verifying the origin of messages and the potential consequences of failing to do so.