Home
Bug Bounty Tips
Cyber Security

XSS Bypass sandbox="allow-same-origin" policy in IFRAME using the Latest version of Firefox Browser

Hi Everyone,

Iframe sandbox applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.

Refer to page :

where <value> can optionally be one of the following values:
  1. allow-downloads 
    Allows downloading files through an <a> or <area> element with the download attribute, as well as through the navigation that leads to a download of a file. This works regardless of whether the user clicked on the link, or JS code initiated it without user interaction.

  2. allow-downloads-without-user-activation
    Allows for downloads to occur without a gesture from the user.

  3. allow-forms
    Allows the page to submit forms. If this keyword is not used, form will be displayed as normal, but submitting it will not trigger input validation, sending data to a web server or closing a dialog.

  4. allow-modals
    Allows the page to open modal windows by Window.alert(), Window.confirm(), Window.print() and Window.prompt(), while opening a <dialog> is allowed regardless of this keyword. It also allows the page to receive BeforeUnloadEvent event.

  5. allow-popups
    Allows popups (like from Window.open(), target="_blank", Window.showModalDialog()). If this keyword is not used, that functionality will silently fail.

  6. allow-same-origin 
    If this token is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs).

  7. allow-scripts 
    Allows the page to run scripts (but not create pop-up windows). If this keyword is not used, this operation is not allowed.
When we browsed through the IFRAME elements, we found a unique case
Here's a screenshot of the HTML Iframe snippet:
The XSS payload that we entered is in the value of the srcdoc attribute and we don't find any pop ups appearing here. 
Here's a screenshot of the results on the page:


Oh no, what happened?
We noticed something odd here, namely the sandbox="allow-same-originattribute.

Is it possible that the XSS payload we input is not being executed due to a sandbox="allow-same-origin" policy?

We are trying to run a simple payload like:
<a href='https://www.secrash.com/'>CLICK</a>

That's right, we can use that payload to create XSS.

Now we try to enter the javascript protocol.
<a href='javascript:alert(1)'>CLICK</a>

The following are the results of this experiment using several types of browsers:

1. Chrome 


2. Opera


3. Edge


4. Firefox



Bypass CLICK :
1. Click via the SCROLL Button
2. CTRL+Click

Now we can trigger the pop-up from Firefox. When doing that, we are using the latest version of Firefox which is 114.0.2