From 4b2fc840c9cbf777b90b3777c50a359fb69c3dcd Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Sun, 25 Jan 2026 12:40:14 +0000
Subject: [PATCH] Add content from: Iframe Sandbox Trick

---
 src/pentesting-web/clickjacking.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/pentesting-web/clickjacking.md b/src/pentesting-web/clickjacking.md
index 132ea46716f..cbd8a587f10 100644
--- a/src/pentesting-web/clickjacking.md
+++ b/src/pentesting-web/clickjacking.md
@@ -179,6 +179,19 @@ Attackers can therefore read UI state without JavaScript. Example booleans from
 
 Each detected state gates a different overlay bitmap embedded via `feImage xlink:href="data:..."`. Masking those bitmaps with `D`, `L`, `C`, `R` keeps the overlays synchronized with the real dialog and walks the victim through multi-step workflows (password resets, approvals, destructive confirmations) without ever exposing the DOM.
 
+### Sandboxed iframe Basic Auth dialog (no allow-popups)
+
+A sandboxed iframe without `allow-popups` can still surface a browser-controlled **HTTP Basic Authentication modal** when a load returns `401` with `WWW-Authenticate`. The dialog is spawned by the browser’s networking/auth layer (not JS `alert/prompt/confirm`), so popup restrictions in the sandbox do **not** suppress it. If you can script the iframe (e.g., `sandbox="allow-scripts"`) you can navigate it to any endpoint issuing a Basic Auth challenge:
+
+```html
+<iframe id="basic" sandbox="allow-scripts"></iframe>
+<script>
+  basic.src = "https://httpbin.org/basic-auth/user/pass"
+</script>
+```
+
+Once the response arrives, the browser prompts for credentials even though popups are disallowed. Framing a trusted origin with this trick enables UI redress/phishing: unexpected modal prompts inside a "sandboxed" widget can confuse users or trigger password managers to offer stored credentials.
+
 ### Browser extensions: DOM-based autofill clickjacking
 
 Aside from iframing victim pages, attackers can target browser extension UI elements that are injected into the page. Password managers render autofill dropdowns near focused inputs; by focusing an attacker-controlled field and hiding/occluding the extension’s dropdown (opacity/overlay/top-layer tricks), a coerced user click can select a stored item and fill sensitive data into attacker-controlled inputs. This variant requires no iframe exposure and works entirely via DOM/CSS manipulation.
@@ -290,5 +303,8 @@ if (top !== self) {
 - [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)
 - [DOM-based Extension Clickjacking (marektoth.com)](https://marektoth.com/blog/dom-based-extension-clickjacking/)
 - [SVG Filters - Clickjacking 2.0](https://lyra.horse/blog/2025/12/svg-clickjacking/)
+- [Iframe sandbox Basic Auth modal](https://phor3nsic.github.io/2026/01/21/trick-iframe-sandbox.html)
+- [Chromestatus: Restrict sandboxed frame dialogs](https://chromestatus.com/feature/4747009953103872)
+- [Chromium issue about sandboxed auth dialogs](https://issues.chromium.org/issues/40266321)
 
 {{#include ../banners/hacktricks-training.md}}