Fake login form (phishing)
Draw a parent-like login form inside an iframe and collect user input on the iframe's own origin.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | works |
sandbox="" (strictest) | partial |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/phishing-form?lang=en" title="XSS Playground - Fake login form (phishing)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
In a real attack this iframe would be placed inside the parent page to look like the service's own modal or login area. The user has no easy way to notice the domain is attacker.example.
Fake login form (free to draw anything inside its own origin)
Captured log
// no logs
Explanation
- The form inside the iframe is just a page on its own origin, so it can render any UI and submit values to its own server. SOP is irrelevant here.
- Even
sandbox="allow-scripts"blocks native form submit, but JS can still collect the values and fetch them out. Onlysandbox=""blocks JS too. - The strongest mitigation is a host allowlist for iframe src.