| Lessons Learned From Exposing Unusual XSS Vulnerabilities |
|
|
|
| Universal Code Execution by Chaining Messages in Browser Extensions |
|
|
|
| How I found DOM XSS via postMessage on Bing.com - Microsoft Bug Bounty |
|
|
|
| Exfiltrating Data from Sandboxed Documents |
|
|
|
| Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild |
|
|
|
| Who are you? The Importance of Verifying Message Origins |
|
|
|
| XSS to OAuth access token leak in office online which can be used to account takeover |
|
|
|
| Google Extensions (Awarded $18833.7) |
|
|
|
| Two XSS Vulnerabilities in Azure with Embedded postMessage IFrames |
|
|
|
| XSS in WordPress via open embed auto discovery |
|
|
|
| A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF… |
|
|
|
| CSS Injection via PostMessages to stealing Credit Card Info |
|
|
|
| Imperva Red Team Discovers Vulnerability in TikTok That Can Reveal User Activity and Information |
|
|
|
| How Your NFTs Could Have Been Stolen in Just One Click |
|
|
|
| postMessage DOM XSS vulnerability in Gartner Peer Insights widget |
|
|
|
| Account Takeover in Canvas Apps served in Comet due to failure in Cross-Window-Message Origin validation |
|
|
|
| XSS using postMessage in Google Cloud Theia notebooks [Google VRP] |
|
|
|
| XSS on account.leagueoflegends.com via easyXDM [2016] |
|
|
|
| Adobe Acrobat hollowing out same-origin policy |
|
|
|
| OAuth and PostMessage - Chaining misconfigurations for your access token. |
|
|
|
| Critical XSS in chrome extension |
|
|
|
| Yes, fun browser extensions can have vulnerabilities too! |
|
|
|
| PostMessage Xss vulnerability on private program |
|
|
|
| Stealing tokens, emails, files and more in Microsoft Teams through malicious tabs |
|
|
|
| XSS via postMessage in chat.mozilla.org |
|
|
|
writeups.xyz
/
PostMessage