HACKING postMessage() FOR BEGINNERS!

Рет қаралды 33,555

Күн бұрын

Hi! I'm a pentester and a bug bounty hunter who's learning everyday and sharing useful resources as I move along. Subscribe to my channel because I'll be sharing my knowledge in new videos regularly.
SIGN UP ON Intigriti:
go.intigriti.co...
BUY ME A COFFEE:
www.buymeacoff...
SOCIAL MEDIA:
Follow me on Twitter: / farah_hawaa
Follow me on Instagram: / farah_hawaa
Connect with me on LinkedIn: / farah-hawa-a012b8162
TIME STAMPS:
0:43 Same-Origin Policy
1:14 When is postMessage() used
2:26 Parent window code
3:16 Child window code
4:11 Bug 1- Sender's origin not validated:
5:32 Bug 2- Target origin not specified:
postMessage() LABS:
github.com/t4k...
github.com/shu...
RESOURCES FOR postMessage():
developer.mozi...
www.mcafee.com...
jlajara.gitlab...
/ exploiting-post-messag...
Video editor: www.fiverr.com...

Пікірлер: 131

@funnyshortsfrominternet8897 Ай бұрын

I always underestimated your videos..But after watching this video i am humbled ..Thanks for sharing the knowledge

@Sypacks 4 жыл бұрын

great video. and you blink a lot. 😂😂

@karthikkarthik-kf6bb 4 жыл бұрын

😅😂

@kinodertoten9059 4 жыл бұрын

Is the sister of nullbyte lol

@0xSN1PE 4 жыл бұрын

@@kinodertoten9059 just the comment i was looking for

@shanudevraj4236 4 жыл бұрын

Wtf u noticed Bro😂✌🏻

@karansh491 4 жыл бұрын

Nullbyte's sister LOL 🤣

@InderjitSingh-ig1wu 4 жыл бұрын

Awesome video 🤙 Unique content 💯 Make a detailed video on buffer overflows with crystal clear concepts . It will help a alot.

@rakeshlamber1441 4 жыл бұрын

I also searched this topic for many days but didn't meet my expectations. There is no detailed video on buffer overflows concepts for newbies and it's a demandable and important topic . I hope mam will make video on this topic

@TrackingAcademy 3 жыл бұрын

Alright. I have been surfing to find a solution for 2 days now. And I'm glad I was able to scroll all the way down to your videos. Great 👍

@FarahHawa 3 жыл бұрын

Glad I could help!

@aresgamer2413 4 жыл бұрын

I have just entered into cyber security anf its just helping me alot thanks a lot for such type of videos...please dont stop sharing your knowledge to us.😊

@galvanisingwarrior9092 4 жыл бұрын

How did u started doing it ??

@0xx039 4 жыл бұрын

Thanks for it! Never thought of learning about postMessages this is nice introduction for me start

@hritikdj 3 жыл бұрын

Clear and concise explanation of the postMessage function and its bugs, Thanks for putting it all together 🙏🏻 Keep up the up good work 🙌🏻

@FarahHawa 3 жыл бұрын

Glad it helped! :)

@yashgoti6276 4 жыл бұрын

Great work man Just one suggestion keep background sound low, so we can here you out clearly.

@MuhammadLab 3 жыл бұрын

Now, I'm kinda start love your videos

@ygp47 Жыл бұрын

simply and clearly explained. thanks

@rachitjain5008 4 жыл бұрын

Thanks Miss Farah, I loved what you are doing. I hardly wait for your next video please recommend some resources from where I can learn.

@johnsnow1062 4 жыл бұрын

Thanks @farah and @intigrity. Well explained lesson. plz keep up the good work.

@parabbmishraa 4 жыл бұрын

Thanx a lot ma'am You always post crystal clear concept videos and your style is also awesome .... It leaves no doubt !! 👍👍

@FarahHawa 4 жыл бұрын

I’m so happy to hear that!! Thank you for watching ☺️

@terjanq 4 жыл бұрын

2:32 there is a little error in postMessage origin, the protocol is missing. Fortunetaly, browsers should throw on this, because this a common mistake :)

@FarahHawa 4 жыл бұрын

Noted. Thanks for pointing it out!

@mfajarf0106 3 жыл бұрын

terimakasih telah membantu saya dalam kesulitan menggunakan postmessage

@gopalsinghr. 4 жыл бұрын

Crystal Clear explanation thanks for sharing

@domaincontroller 3 жыл бұрын

00:45 Same-Origin Policy 01:14 When PostMessage() is used

@irph2 4 жыл бұрын

Well done with Videos, keep up the good works, and that vase behind you is beautiful!

@nasirwar346 3 жыл бұрын

Thank You for this Beautiful Video .

@mishuchowdhury1156 4 жыл бұрын

Make a video about recon & methodology 🙂

@doceeo3213 4 жыл бұрын

As cool as all time :) Btw will you please make video on your methodology or how do you approach a target.......and some waf bypass techniques...pls !!

@abhidey7299 4 жыл бұрын

Awesome video, very informative. Thankyou for sharing such valuable info.

@mackeman1356 Жыл бұрын

would you name some available labs to practice the idea, please. and thanks for the great simplicity.

@aryanrawat7313 4 жыл бұрын

Very well explained Farah, yes and this blinking is with me tooo😉

@rnz8449 3 жыл бұрын

Very informative and simple!

@soufianeamed217 4 жыл бұрын

Hi Farah As Usual Good Topic And useful Explanation . Thnaks For Your Time . have A Good Day And Stay Safe

@knowledgeboxbd9625 4 жыл бұрын

Great job make a video about the recon and methodology ,suppose i have a target site for finding bugs so what methodology generally i have to follow for finding bugs

@amoghdeodhar 4 жыл бұрын

Amazing! unique content.. keep posting Thank you 😇😊🙌💯

@talishgarg1151 4 жыл бұрын

Amazing and unique work! Keep it up Ma'am!

@AnkitKumar-zn5il 4 жыл бұрын

Such a helpful and great video, keep making...

@ravimakkena3271 4 жыл бұрын

Sounds looks splendid

@anujlovetube 4 жыл бұрын

Genius..nice video

@eduardoescanilla141 4 жыл бұрын

A super clear and well referenced video, my congratulations to you ;)

@generalinformation3194 2 жыл бұрын

Thank you :)

@Joyucomedy 4 жыл бұрын

Can u make next video on fuzzing..!

@RandeepVirk 4 жыл бұрын

very informative. good video.

@flashbrutal 4 жыл бұрын

It's useless untill we get access any file manager to change the code,,in my opinion

@nullpwn 4 жыл бұрын

Awesome explanation

@099watcher 4 жыл бұрын

Great content, keep up the good work, We need more people like you 👍🏻. 🍰

@FarahHawa 4 жыл бұрын

Thank youuu! Glad you liked it ☺️

@newuser2474 4 жыл бұрын

Very well explained farah mam. Can you please make videos on bug bounty 🤗🤗.keep it up

@aimalsultani650 4 жыл бұрын

Well-Done

@CarmelleCodes 4 жыл бұрын

thank you for these videos, you really inspire me :)

@FarahHawa 4 жыл бұрын

Aww, thank you for watching ☺️ glad you like them 🥰

@FarahHawa 3 жыл бұрын

@Compiled Movie Hey! No, not really. The bug here is that the postMessage() method being used by the target was misconfigured and either allows: 1. Any origin to send a message to it or 2. Any target to receive a message from it. For this reason, the attacker can use these flaws and trick a user into getting XSS-ed. It does require user interaction but not physical access. And the target needs to fix this bug and that's why they pay the bug hunter for bringing this to their attention.

@FarahHawa 3 жыл бұрын

Check the description!

@mersalmakers1577 4 жыл бұрын

Wow farah... Thank you

@hannanjamil1060 4 жыл бұрын

Great content! Keep rocking!

@boneytech3965 4 жыл бұрын

Usefull video thanks farah

@FarahHawa 4 жыл бұрын

Thank you for watching! So happy you found it useful! ☺️

@theodoreramli9182 4 жыл бұрын

Beautiful & brilliant

@shrirangkahale 4 жыл бұрын

Great

@cyrexplays5031 4 жыл бұрын

Make video on endpoints and how to exploit it?

@bejankinaveen9306 3 жыл бұрын

Nice video 👍

@Tergaurav 4 жыл бұрын

Thanks for the video, more content needed with 2 video a week?

@MaxProgramming 4 жыл бұрын

Just found your channel from recommended. Are you a software tester? I am learning web development.

@iamaprogrammer470 4 жыл бұрын

I want to explore Ethelical Hacking but I don't know from where should I start ? Can u guide me?

@itszabbs1740 4 жыл бұрын

Thank You so much !!

@AZANSHAHID 4 жыл бұрын

Please make a video on directory transversal attack

@AZANSHAHID 4 жыл бұрын

@hackR i have already sign up on that. i will take a look. thanks for reply

@alirazzaq400 4 жыл бұрын

Great work!

@Alexedits778 3 жыл бұрын

nice video

@kevinnyawakira4600 4 жыл бұрын

thanks Farah

@sheikhsoif8167 4 жыл бұрын

It's a great video

@moviesentertainment9623 4 жыл бұрын

you're pretty beauty+brain rare combination of god

@pavankumarreddy4178 4 жыл бұрын

If I am not wrong u r the one who cracked oscp at young age..

@ImranShaikh-kt7ey 3 жыл бұрын

Which software you use for editing ?

@ugroon9050 3 жыл бұрын

Thanks for video but to day i found vulnerable page and create an php exploit file but it's don't work when i click the play not do a action (child page not open) can u help me (sorry for my english, engglish is not my main language :))

@sanghadiyasunil3489 4 жыл бұрын

Hello ma'am can you explaines SSRF? Make video?

@pitchaiahmurugesan7611 4 жыл бұрын

Mam pls add English subtitles

@verdipratama 4 жыл бұрын

Hey farah😚💕

@k2kmaster462 4 жыл бұрын

how many types of bug in bug bounty upload video sister

@shreyabanerjee1684 4 жыл бұрын

Hey can you tell me that if there are two os in the vm machine..will the two vm machine have the same IP address or different ip address and is there any platform where I can connect to you and ask some doubts ??it will be vey helpful for.. keep the good work up👍❤️

@ome.mishra 4 жыл бұрын

use NAT same IP ....... or bridge ........ for different ip in local network

@rohit_ojha 4 жыл бұрын

please make your own slack communitiy ma'am please......slack is a app which you can download it form playstore ma'am please make that ma'am

@aneeshnadh5377 4 жыл бұрын

Good content, It is the Dom based xss?

@FarahHawa 4 жыл бұрын

Yes, all of these attacks are client-side!

@b3ast407 4 жыл бұрын

Farah can you please tell how to set up labs like u to study for eg like in this video, graphql one

@FarahHawa 4 жыл бұрын

I’ve mention the GitHub repo for the lab in the description! I just followed the instructions on that to set it up.

@b3ast407 4 жыл бұрын

@@FarahHawa Thankyou for your reply, learning a lot from you.

@faique2995 4 жыл бұрын

loved it

@MuhammadLab 3 жыл бұрын

But if you put subtitle is more better

@ReporterAji 4 жыл бұрын

Hello, Madam Please create Playlist

@RahulVerma-kr5qz 4 жыл бұрын

Heyy!! Uh have good knowledge but please improve your voice quality it's not clear on this video

@playshort9053 4 жыл бұрын

Nice I like to see you we are in the same age 🌹

@Malware01 4 жыл бұрын

I'm tired from gdpr cookies

@ghostgil7006 4 жыл бұрын

Redirecting dom xss

@manyamnandeeshreddy6153 4 жыл бұрын

Great Video but please reduce the background music

@MP-eq8fx 4 жыл бұрын

Thank you for the video. Please tell can someone from non tech background enter the field of bug bounty hunting for web apps?

@FarahHawa 4 жыл бұрын

I'm from a "non-tech background" so I would say YES!!! But you have to get your basics right first.

@MP-eq8fx 4 жыл бұрын

@@FarahHawa Thank you for your reply. Its great to know that you are doing so much coming from a non-tech background. I have one request for you: Please make a video or write an article about your journey coming to tech from non-tech background, the hurdles you faced and how you overcame them. That will be a guiding post for many like me. Waiting for you reply. May God bless you. EDIT: Just saw your video about your journey into bug bounty. You said that you are into the field of IT security for 2 years. So I think that gave you hands on experience before you came to bug bounty. I wish I could get to know about the experiences of someone coming into this field without any job/education in this filed. Reason I am saying this is because in the back of my mind whenever I am reading something related to security/bug bounty, I always feel that people from IT field/ CS education know things in much more details, so what I am doing is nothing in as compared to that and this is being a big mental block for me.

@cyethacksolutions6761 4 жыл бұрын

Great content, keep making video👍 And yes you blink a lot, 😀 but still good video

@vivekdas3807 4 жыл бұрын

She blink 486 time

@karthikkarthik-kf6bb 4 жыл бұрын

U hav stopped saying ,that "I'm a bug Bounty hunter" in the beginning of the video why so?🤔

@FarahHawa 4 жыл бұрын

Nice catch 🎉

@karthikkarthik-kf6bb 4 жыл бұрын

@@FarahHawa tq 😁

@rohit_ojha 4 жыл бұрын

please make a slack community ma'am......?.

@rizwanpathan6512 4 жыл бұрын

Farah please answer my question Did we require web development knowledge ex javascript etc to hunt bugs

@FarahHawa 4 жыл бұрын

It definitely helps a lot!

@rizwanpathan6512 4 жыл бұрын

@@FarahHawa did you learn web developement In your 1st video you have tell you have worked in security field after that you have started bug hunting. In which you have work before bug hunting I hope you will answer this

@FarahHawa 4 жыл бұрын

rizwan khan maybe I haven’t worked in web development. However, I do know PHP, Python and JS which I use to make vulnerable web apps to practise sometimes and that really really helps me!

@rizwanpathan6512 4 жыл бұрын

@@FarahHawa thanks a lots for answering to my questions

@sachinmaurya3259 4 жыл бұрын

First to comment >:< Nice video

@Joyucomedy 4 жыл бұрын

We can do same this any website which has login with Google of face book ???

@FarahHawa 4 жыл бұрын

That’s true, any website that uses postMessage without these checks is vulnerable. However, oauth token leak is possible. Check this report out hackerone.com/reports/314814

@FarahHawa 4 жыл бұрын

Mohammad Owais semrush has their own oauth framework :)