---

DOM Clobbering Wiki

Stable

Nested Window Proxies

These markups use the Iframe srcdoc rule (R4) to create nested window proxies that are named with x and y, respectively.

Similarly to the previous group of markups, it uses the rule R1 or R2 to clobber the base object. Then, the stacked iframes enable attackers to exploit frame navigation features to clobber object properties like x.y.

Name	Rule	Target	Target Type	Reference Type	Tag 1	Tag 2	Attribute 1	Attribute 2	Relation	Total
Nested Window Proxies	R4 + R1, R4 + R2	x.y, window.x.y, document.x.y	Object Property, Variable	WindowProxy	iframe	iframe	name=x	name=y	srcdoc	1