Chained attack (phishing + fullscreen + redirect)
Reproduce a chain that shows fake fullscreen UI, captures credentials, then top-redirects to reduce suspicion.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | partial |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/chained-attack?lang=en" title="XSS Playground - Chained attack (phishing + fullscreen + redirect)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Right after the iframe loads, a fullscreen overlay impersonates the service UI, while the user still feels they are inside the trusted site.
- The user enters credentials; values flow to the iframe's own origin and would be sent to an attacker server in a real attack.
- Immediately after capture, a top redirect to the real site makes the flow feel like "I just signed in once."
- Each step uses browser APIs that can work without breaking Same-Origin Policy.
- A host allowlist or strict sandbox that blocks arbitrary-host iframes is the most effective single defense.