XSS Bypass sandbox="allow-same-origin" policy in IFRAME using the Latest version of Firefox Browser
Hi Everyone,
3. Edge
4. Firefox
Iframe sandbox applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
Refer to page :
where <value> can optionally be one of the following values:
- allow-downloads
Allows downloading files through an <a> or <area> element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction. - allow-downloads-without-user-activation
Allows for downloads to occur without a gesture from the user. - allow-forms
Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog. - allow-modals
Allows the page to open modal windows by Window.alert(), Window.confirm(), Window.print() and Window.prompt(), while opening a <dialog> is allowed regardless of this keyword. It also allows the page to receive BeforeUnloadEvent event. - allow-popups
Allows popups (like from Window.open(), target="_blank", Window.showModalDialog()). If this keyword is not used, that functionality will silently fail. - allow-same-origin
If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs). - allow-scripts
Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
When we browsed through the IFRAME elements, we found a unique case.
Here's a screenshot of the HTML Iframe snippet:
The XSS payload that we entered is in the value of the srcdoc attribute and we don't find any pop ups appearing here.
Here's a screenshot of the results on the page:
Oh no, what happened?
We noticed something odd here, namely the sandbox="allow-same-origin" attribute.
Is it possible that the XSS payload we input is not being executed due to a sandbox="allow-same-origin" policy?
We are trying to run a simple payload like:
<a href='https://www.secrash.com/'>CLICK</a>
That's right, we can use that payload to create XSS.
Now we try to enter the javascript protocol.
<a href='javascript:alert(1)'>CLICK</a>
The following are the results of this experiment using several types of browsers:
1. Chrome
2. Opera
Bypass CLICK :
1. Click via the SCROLL Button
2. CTRL+Click
Now we can trigger the pop-up from Firefox. When doing that, we are using the latest version of Firefox which is 114.0.2