First post here. Hello all!

I am taking a swing at testing as to whether or not the IFrame Sandbox attribute works well or not, dont really care so much on the content. The purpose is to allow users to SAFELY upload scripts and have them run on other users browsers. I know the very first thing most people will say is "never ever allow users to run their own scripts". Well that is the exact purpose that IFrames now have the Sandbox attribute. So I am NOT going to listen to "dont ever run user uploaded scripts".

Reason is that Security is always inversely proportional to Functionality. Sure you can have a car perfectly safe if you never ever drive it. If I were to listen to the "never run user scripts", that is the equivalent of "just dont drive anywhere, ever". It completely defeats the purpose.

Now, to test things out, I have a small rather crappy web server I use to test stuff on. I put together a page that has a sandboxed IFrame in it. I want to see if anyone can inject their own code into this webpage and break out of the IFrame. This is SIMULATED, so I made the injection as easy as I could, the Iframe will echo ANYTHING you type into it, especially scripts, which at this time is what my goal is. So you dont have to do anything super tricky to try your Injection Attack.

This page does not have anything insecure as it does not allow other user scripts to run in it. The content that is there is for testing some functionality ONLY. So even if someone else is able to break the iFrame, it will not put you at risk.

This TEST PAGE has a couple of things to maintain functionality without compromising your security. It has a link that you can try to click on, that you should not be able to. It has a "button" to "Evil Site" which is just W3Schools.com, but it should NOT open. It also has another button to load data from my test server which SHOULD work. Just an AJAX call to make data go back and forth safely between the IFrame and my test server. You know, kind of like watching a Youtube video where their embedded content has to come from Youtube but no where else. Right?

Would you guys mind testing this page and seeing if you can use a Script Injection to break out of my IFrame? If so, what do I need to do in order to lock it down properly?

http://www.webucate.me/iframe/

Again, this page should NOT be dangerous to you at all. I am trying to play the part of the victim here, not make you the victim...