Properties that leak the parent URL even when sandboxed

Chrome logo 1
Safari logo 1
Firefox logo 1

This vector shows all the properties in window and document that contain a URL that leaks the parent URL even when sandboxed.

Created by: hackvertor

Created on: Thursday, June 6, 2024 at 11:25:57 AM

Updated on: Thursday, October 3, 2024 at 12:48:12 AM

Vector type: JS

Code used before fuzz:
const regex = /(?:https?):\/\/shazzer[.]co[.]uk/;
Object.getOwnPropertyNames(window).forEach(prop => {
   try{
      regex.test(window[prop]+'')&&log('window.'+prop)
   }catch{}
});
for(const prop in document){
  try{
       regex.test(document[prop]+'')&&log('document.'+prop);
  } catch{}
}
Template used:
1337
Your browser was detected as:
Detecting... Detecting... Detecting... Detecting...

Sample payloads

1337

Fuzz results

Chrome logo
Chrome 125.0.0.0 desktop macOS 10.15.7

Updated

Thu Jun 06 2024
Found 1 result
Data
document.baseURI
Safari logo
Safari 17.4 desktop macOS 10.15.7

Updated

Thu Jun 06 2024
Found 1 result
Data
document.baseURI
Firefox logo
Firefox 126.0 desktop macOS 10.15

Updated

Thu Jun 06 2024
Found 1 result
Data
document.baseURI
Safari logo
Safari 17.5 mobile iOS 17.5.1

Updated

Thu Jun 06 2024
Found 1 result
Data
document.baseURI