diff --git a/README.md b/README.md
index e2665938f35..877c4cae9ea 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,6 @@ You can find **my reviews of the certifications eMAPT and eWPTXv2** \(and their
-Copyright © Carlos Polop 2020. Except where otherwise specified, the text on [HACK TRICKS](https://github.com/carlospolop/hacktricks) by Carlos Polop is licensed under the [**Commons Clause**](https://commonsclause.com/) \(which allow you to use this content freely WITHOUT commercial use\).
-
-**Copyright © Carlos Polop 2021. Except where otherwise specified, the rights of the text on** [**HACKTRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop are reserved.**
+**Copyright © Carlos Polop 2020. Except where otherwise specified \(the copied information belongs to the original authors\), the text on** [**HACK TRICKS**](https://github.com/carlospolop/hacktricks) **by Carlos Polop is licensed under the**[ **Attribution-NonCommercial 4.0 International \(CC BY-NC 4.0\)**](https://creativecommons.org/licenses/by-nc/4.0/)**.
+If you want to use it with commercial purposes, please contact with me.**
diff --git a/pentesting-web/postmessage-vulnerabilities.md b/pentesting-web/postmessage-vulnerabilities.md
index ad73b30a7cc..4bf39896530 100644
--- a/pentesting-web/postmessage-vulnerabilities.md
+++ b/pentesting-web/postmessage-vulnerabilities.md
@@ -1,40 +1,51 @@
# PostMessage Vulnerabilities
-## **PostMessages wildcards**
+## Send **PostMessage**
**PostMessage** uses the following function to send a message:
-```javascript
+```bash
targetWindow.postMessage(message, targetOrigin, [transfer]);
+
+# postMessage to current page
+window.postMessage('{"__proto__":{"isAdmin":True}}', '*')
+
+# postMessage to an iframe with id "idframe"
+document.getElementById('idframe').contentWindow.postMessage('{"__proto__":{"isAdmin":True}}', '*')
+
+# postMessage to an URL
+window.postMessage('{"__proto__":{"isAdmin":True}}', 'https://company.com')
```
-Check that **targetOrigin** could be a url like _https://company.com_, so the messages can only be sent to that user \(secure\). Or it cloud be a wildcard "**\***". In case a wildcard is used, messages could be sent to any domain.
+Note that **targetOrigin** can be a '\*' or an URL like _https://company.com._
+In the **second scenario**, the **message can only be sent to that domain** \(even if the origin of the window object is different\).
+If the **wildcard** is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
-### Attack
+### Attacking iframe & wilcard in **targetOrigin**
-In [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) you can read how you could **iframe a page** that at some point may **sent** a **postmessage** using a **wildcard as targetOrigin** and **modify it's location so the data will be sent to an arbitrary domain**. In order to be able to perform this attack **X-Frame header must not be present** in the vuln page.
+As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** \(no `X-Frame-Header` protection\) and that is **sending sensitive** message via **postMessage** using a **wildcard** \(\*\), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.
+Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
```markup
-
-
+
+
```
## addEventListener exploitation
-In order to treat the messages a code similar to the following one will be used:
+**`addEventListener`** is the function used by JS to declare the function that is **expecting `postMessages`**.
+A code similar to the following one will be used:
```javascript
window.addEventListener("message", (event) => {
@@ -45,24 +56,15 @@ window.addEventListener("message", (event) => {
}, false);
```
-Note in this case how the first thing that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints and change the victims passwords \(in this example\).
-
-It's important to check the origin and it's **equally important to check it right:**
+Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information \(like changing a password\). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords \(in this example\).
-### Tips/Bypasses in PostMessage vulnerabilities
+### addEventListener check origin bypasses
Copied from [https://jlajara.gitlab.io/web/2020/07/17/Dom\_XSS\_PostMessage\_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
-* If `indexOf()` is used to check the origin of the PostMessage event, remember that it can be bypassed if the origin is contained in the string as seen in [_The Bypass_](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html#bypass)
-* [@filedescriptor](https://twitter.com/filedescriptor): Using `search()` to validate the origin could be insecure. According to the docs of `String.prototype.search()`, the method takes a regular repression object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp.
-
-```javascript
-"https://www.safedomain.com".search(t.origin)
-```
-
-In regular expression, a dot \(.\) is treated as a wildcard. In other words, any character of the origin can be replaced with a dot. An attacker can take advantage of it and use a special domain instead of the official one to bypass the validation, such as **www.s.afedomain.com**.
-
-* [@bored-engineer](https://bored.engineer/): If `escapeHtml` function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
+* If **`indexOf()`** is used to **check** the **origin** of the PostMessage event, remember that it can be easily bypassed like in the following example: `("https://app-sj17.marketo.com").indexOf("https://app-sj17.ma")`
+* If **`search()`** is used to **validate** the **origin** could be insecure. According to the docs of `String.prototype.search()`, the method **takes a regular repression** object instead of a string. If anything other than regexp is passed, it will get implicitly converted into a regexp. In regular expression, **a dot \(.\) is treated as a wildcard**. An attacker can take advantage of it and **use** a **special domain** instead of the official one to bypass the validation, like in: `"https://www.safedomain.com".search("www.s.fedomain.com")`.
+* If **`escapeHtml`** function is used, the function does not create a `new` escaped object, instead it over-writes properties of the existing object. This means that if we are able to create an object with a controlled property that does not respond to `hasOwnProperty` it will not be escaped.
```javascript
// Expected to fail: