Properties are accessible in a sandboxed iframe

This vector attempts to see which properties are available on the parent window of a sandboxed iframe.

Created by: hackvertor

Created on: Friday, June 7, 2024 at 7:41:00 PM

Updated on: Wednesday, December 10, 2025 at 9:40:19 PM

Category: Browser Quirks

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Code used before fuzz:

const props = Object.getOwnPropertyNames(window);
for(const prop in document){
  try{
       props.push("document."+prop);
  } catch{}
}
props.forEach(prop => {
    try {
         if(typeof parent[prop] !== 'undefined') {
             log("parent."+prop);
          }
    } catch{}
})

Template used:
1337

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

1337

Fuzz results

Chrome 143.0.0.0 desktop macOS 10.15.7

Updated

Wed Dec 10 2025

Found 13 results

Show differences only?

Filter out alphanumeric

Sort ascending

Firefox 146.0 desktop macOS 10.15

Updated

Wed Dec 10 2025

Found 13 results

Show differences only?

Filter out alphanumeric

Sort ascending

Safari 26.1 desktop macOS 10.15.7

Updated

Wed Dec 10 2025

Found 13 results

Show differences only?

Filter out alphanumeric

Sort ascending