Not your typical XSS challenge this time!
alertIN THIS PAGE - THAT'S YOUR ONLY JOB!
alertAPI must be applied to the origin of this app!
alertfunction from an iframe/new tab/etc.
document.body.appendChild( document.createElement('iframe') ).contentWindow.alert.call( top, 'did it work?!' );
var i = document.createElement('iframe'); i.onload = () => i.contentWindow.alert.call( top, 'did it work?!' ); document.body.append(i);
Snow aspires to standardize how to recursively own newborn windows within a browser webpage, from the context of the webpage itself.
📖 Technical explanation
⚙️ Installation and usage
👩🏽💻 Source Code
💪🏻 Motivation behind this project
~ Can you bypass Snow?
- This website uses Snow to disable
- Use the textarea to run JS code that successfully shows an alert message
- Try to do anything in your power to successfully do so
- Remember: Snow doesn't protect against cross origin realms, you must run your alert under this current origin!
- Click the button to execute your code (
⌘ + ↵/
^ + ↵will work too)
- If you succeed - Congratz! You bypassed Snow (please, open an issue, we'd love to improve its security)
Funded by Consensys 💙
Maintained and developed by MetaMask 🦊
Invented and developed by Gal Weizman 👋🏻