Shazzer logo

    Properties that leak the parent URL even when sandboxed

    This vector shows all the properties in window and document that contain a URL that leaks the parent URL even when sandboxed.

    Created by: hackvertor

    Created on: Thursday, June 6, 2024 at 11:25:57 AM

    Updated on: Friday, July 19, 2024 at 3:45:11 AM

    Vector type: JS

    Code used before fuzz:
    const regex = /(?:https?):\/\/shazzer[.]co[.]uk/;
Object.getOwnPropertyNames(window).forEach(prop => {
   try{
      regex.test(window[prop]+'')&&log('window.'+prop)
   }catch{}
});
for(const prop in document){
  try{
       regex.test(document[prop]+'')&&log('document.'+prop);
  } catch{}
}
    Template used:
    1337
    Your browser was detected as:
    Detecting... Detecting... Detecting... Detecting...

    Sample payloads

    1337

    Fuzz results

    Chrome logo
    Chrome 125.0.0.0 desktop macOS 10.15.7
    Found 1 result
    Data
    document.baseURI
    Safari logo
    Safari 17.4 desktop macOS 10.15.7
    Found 1 result
    Data
    document.baseURI
    Firefox logo
    Firefox 126.0 desktop macOS 10.15
    Found 1 result
    Data
    document.baseURI
    Safari logo
    Safari 17.5 mobile iOS 17.5.1
    Found 1 result
    Data
    document.baseURI