XSS in Shazzer via sandbox escape

Shazzer is a service created by Gareth Heyes for browser security testing and XSS research. It allows users to run custom JavaScript, with all code executed inside an <iframe sandbox="allow-scripts allow-forms">.

Without the allow-same-origin flag, code running inside the sandbox receives origin: null and cannot access data belonging to the site itself.

The issue was related to how browsers handle Blob URLs. User code was executed from URLs such as:

While the Blob was executed inside the sandboxed iframe, the restrictions worked as expected. However, the researcher discovered that opening the same Blob URL outside the iframe caused the browser to associate it with the shazzer.co.uk origin. As a result, code intended to remain isolated executed in the site's own security context.

Exploitation required chaining several browser quirks: • leaking the Blob identifier via WebRTC/STUN; • delayed Blob URL revocation caused by DataCloneError during postMessage; • opening the Blob through user navigation.

To demonstrate impact, the researcher gained access to user session data.

📎 Article: https://jorianwoltjer.com/blog/p/stories/finding-xss-on-shazzer