Pink Sock - Security Test Suite

Test pages to verify iframe security vulnerability detection

This collection of test pages demonstrates various security vulnerabilities related to iframes that the Pink Sock browser extension should detect. Each page contains a specific security issue or a combination of issues. Navigate to any test page with the Pink Sock extension enabled to see how it identifies and reports these vulnerabilities.

IFrame Sandbox Vulnerabilities

These tests demonstrate issues with iframe sandbox attribute configuration.

Missing Sandbox Attribute High

An iframe without any sandbox attribute, allowing full privileges.

Sandbox Bypass High

Iframe with allow-scripts and allow-same-origin, which can bypass sandbox protection.

Risky Navigation Medium

Iframe with allow-top-navigation without user activation, which could enable clickjacking.

Form & Script Combinations Medium

Iframe with allow-forms and allow-scripts without proper restrictions.

Content Security Policy Issues

These tests demonstrate issues with Content Security Policy configurations related to iframes.

Missing Content Security Policy Medium

Page without any Content Security Policy headers or meta tags.

Missing frame-ancestors Directive Medium

CSP without frame-ancestors directive to prevent clickjacking.

Missing frame-src Directive Medium

CSP without frame-src or default-src directive to control iframe sources.

Unsafe Inline Scripts Medium

CSP allowing unsafe-inline scripts which reduces security.

Feature Policy Issues

These tests demonstrate issues with Feature/Permissions Policy configurations.

Risky Feature Permissions Medium

Iframe allowing potentially risky features like camera, microphone, etc.

Fullscreen Permission Low

Iframe with allowfullscreen attribute which could be used for phishing.

Payment Request Permission Medium

Iframe with allowpaymentrequest attribute which increases attack surface.

Cross-Origin Issues

These tests demonstrate cross-origin vulnerabilities.

Missing crossorigin Attribute Medium

Cross-origin iframe without crossorigin attribute.

Weak Referrer Policy Low

Cross-origin iframe with weak or missing referrer policy.

Target Blank Links Low

Cross-origin link with target="_blank" without rel="noopener".

Secure Implementation Examples

These pages demonstrate proper secure implementations for comparison.

Secure IFrame Implementation

Example of properly secured iframe with all recommended protections.

Secure Content Security Policy

Example of a robust Content Security Policy configuration.