Properties are accessible in a sandboxed iframe

This vector attempts to see which properties are available on the parent window of a sandboxed iframe.

Shazzer Elite

Created byhackvertor

Created Jun 7, 2024

Updated Dec 10, 2025

Detecting browser...

CategoryBrowser Quirks

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

const props = Object.getOwnPropertyNames(window);0x0D
for(const prop in document){0x0D
  try{0x0D
       props.push("document."+prop);0x0D
  } catch{}0x0D
}0x0D
props.forEach(prop => {0x0D
    try {0x0D
         if(typeof parent[prop] !== 'undefined') {0x0D
             log("parent."+prop);0x0D
          }0x0D
    } catch{}0x0D
})

Template used:

Properties are accessible in a sandboxed iframe

Sample payloads

Fuzz results

Distributed Fuzzing

Properties are accessible in a sandboxed iframe

Sample payloads

Fuzz results