As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** \(no `X-Frame-Header` protection\) and that is **sending sensitive** message via **postMessage** using a **wildcard** \(\*\), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.
Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords \(in this example\).
* Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`
* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp. In regular expression, **a dot \(.\) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.
* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it **overwrites properties** of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`.
Example of an exploit to abuse **Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
* Link to page about [**prototype pollution**](deserialization/nodejs-proto-prototype-pollution.md)\*\*\*\*
* Link to page about [**XSS**](xss-cross-site-scripting/)\*\*\*\*
* Link to page about [**client side prototype pollution to XSS**](deserialization/nodejs-proto-prototype-pollution.md#client-side-prototype-pollution-to-xss)\*\*\*\*