How I found DOM XSS via postMessage on bing.com and received a reward by Microsoft Bug Bounty namcoder.com/blog/how-i-fou… #microsoft #bugbounty #bugbountytips
like in which position u are trying to trigger it with postMessage('message', '*'), how do u debug it then exploit it? like how u check do if the code is vulnerable, it's a bit hard for me to understand, like i found one there wasn't dangerous source and any origin and didn't pop
Yes. Put the breakpoint inside the listener on the “Sources” tab. Then send the test postMessage({},’*’) on the “Console” tab. You should have some knowledge about the JavaScript to debug. When you send the postmessage, it will trigger the breakpoint
ah dm is closed, i am asking it here, ah when u looking for postMessage,u look at those on global listeners and going to the code, and finding addeventlistener("message then u look for sources? like window.open after the code that has message? like i didn't understand
For quick summary all listeners in a website, you could use the browser extension github.com/fransr/postMes… Quick look to find: .innerHTML or window.open or others sinks in my slides
and the methodology like how do u look for postMessage and DOM XSS bugs in JavaScript files or just global listeners. and which like postmessage listeners, cause there was widgets and stuff, some of them was js files and some was widgets that u exploited
then it should be a dangerous source to look for and then going for exploit? i din't understand that part
United States Tendencias
- 1. SNAP 1.01M posts
- 2. Don Lemon 3,986 posts
- 3. $NVDA 86.4K posts
- 4. Jamaica 259K posts
- 5. Nelson 29.6K posts
- 6. #MarcelReed N/A
- 7. #LumioseOOTD N/A
- 8. Tucker 101K posts
- 9. Wikipedia 122K posts
- 10. Riley Gaines 106K posts
- 11. Nokia 15.6K posts
- 12. Western Union 6,027 posts
- 13. #NationalFirstRespondersDay 1,541 posts
- 14. Amare 2,526 posts
- 15. Fuentes 80.4K posts
- 16. Hurricane Melissa 185K posts
- 17. Queen Latifah 1,205 posts
- 18. Grokipedia 189K posts
- 19. Jackie Robinson 1,746 posts
- 20. Senate Democrats 62.6K posts
Something went wrong.
Something went wrong.