Cross document messaging is a very common communication method. It has been around for a while, and yes, IT IS exploitable if you do not implement it according to its security model. However, the messages sent using the postMessage command will not show up in your standard debugger proxy because they work without networking inside the browser’s memory. Watch Enso’s Chief Architect Chen Gour-Arie explain cross-document messaging technology, how to hack it, and how to use it safely.
Chen and a team of AppSec professionals had released a free open-source project named Posta ( https://github.com/benso-io/posta ) a tool for researching Cross-document Messaging communication. It allows you to track, explore and exploit postMessage vulnerabilities and includes features such as replaying messages sent between windows within any attached browser.