YouTube.com postMessage Cross-Site Scripting Example

The following video demonstrates a postMessage flaw identified within YouTube.com. In the video a Cross-Domain message is submitted to YouTube.com to inject JavaScript and perform a Cross-Site Scripting attack. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper published at; http://www.sec-1.com/blog/2016/hunting-html-5-postmessage-vulnerabilities And http://appcheck-ng.com/hunting-html-5-postmessage-vulnerabilities/