One of the great extensions you can use for hunting vulnerabilities, especially for finding postMessage vulnerabilities, is this one.
You can see all the thing in this link : Visit Link
1.Find postMessage
2.Find dangerous sinks in JS
3.Exploit postMessage
4.Send requests via the extension
5.Exploit within the extension
6.Generate postMessage exploit code
First, download the file and extract it from the zip format. After that, go to the Extensions section in Chrome, then go to "Manage Extensions" and turn on "Developer Mode." Then click on "Load unpacked" and upload the file. After uploading, the DOM Invader extension will be added to your extensions, and all you need to do is turn it on. To use the extension, you need to go to the Inspect section in the browser. Then, open the DOM Invader tab, and everything will be visible.