Fullscreen overlay impersonation
Place an iframe over the screen and draw a parent-like UI to deceive the user.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | works |
sandbox="" (strictest) | partial |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/fullscreen-overlay?lang=en" title="XSS Playground - Fullscreen overlay impersonation" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
In a real attack the iframe itself is positioned to cover the screen by the parent page's CSS. Inside its own origin, the iframe can draw any UI and make it look like the real service.
// no logs
Explanation
- How the iframe is laid out is the parent page's responsibility. If a service places arbitrary iframes in large trusted regions, visual impersonation is possible.
- The real Fullscreen API requires a user gesture, but a plain DOM overlay can be drawn without one.