Shazzer logo
Login

Properties that leak the parent URL even when sandboxed

Chrome logo 1
Firefox logo 1
Edge logo 1
Safari logo 1

This vector shows all the properties in window and document that contain a URL that leaks the parent URL even when sandboxed.

hackvertor
Created byhackvertor
Created Jun 6, 2024
Updated Dec 10, 2025

Tweet
Detecting browser...
CategoryBrowser Quirks
VisibilityPublic
TypeJS
CharsetUTF-8
Code used before fuzz:
const regex = /^(?:https?):\/\/shazzer[.]co[.]uk/;0x0D
Object.getOwnPropertyNames(window).forEach(prop => {0x0D
   try{0x0D
      regex.test(window[prop]+'')&&log('window.'+prop)0x0D
   }catch{}0x0D
});0x0D
for(const prop in document){0x0D
  try{0x0D
       regex.test(document[prop]+'')&&log('document.'+prop);0x0D
  } catch{}0x0D
}
Template used:
1337

Sample payloads

1337

Fuzz results

Chrome logo
Chrome 145.0.0.0 desktop macOS 10.15.7
Updated8 Feb 2026
Found 1 result
Loading...
Chrome logo
Chrome 125.0.0.0 desktop macOS 10.15.7older version
Updated6 Jun 2024
Found 1 result
Loading...
Firefox logo
Firefox 148.0 desktop macOS 10.15
Updated2 Feb 2026
Found 1 result
Loading...
Firefox logo
Firefox 126.0 desktop macOS 10.15older version
Updated6 Jun 2024
Found 1 result
Loading...
Edge logo
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated26 Jan 2026
Found 1 result
Loading...
Safari logo
Safari 26.2 desktop macOS 10.15.7
Updated29 Jan 2026
Found 1 result
Loading...
Safari logo
Safari 17.5 mobile iOS 17.5.1older version
Updated6 Jun 2024
Found 1 result
Loading...
Safari logo
Safari 17.4 desktop macOS 10.15.7older version
Updated6 Jun 2024
Found 1 result
Loading...

Distributed Fuzzing

Enabled:
Status:disconnected
Your browser automatically contributes to distributed fuzzing when idle.