Back to directory
WRITEUP #6559

<iframe> Sandbox Bypass, Cross-Origin Drag-Drop, Unvalidated postMessage origin, Cookie Bomb to Account Takeover

Post messageAccount TakeoverCookie Bomb
by@RenwaX23(Renwa)
Published
Mar 10, 2026
Added to HackDex
Mar 10, 2026
Read Full Writeuphttps://medium.com/@renwa/iframe-sandbox-bypass-cross-origin-drag-drop-unvalidated-postmessage-origin-cookie-bomb-to-21357a4d94f5
RELATED WRITEUPS
Interesting Story of an Account Takeover Vulnerability
Auth BypassAccount takeover
Self-XSS to ATO via Site Features
XSSSelf-XSS
CSRF Bypass Using Domain Confusion Leads To ATO
CSRFAccount takeover
Instagram and Meta 2FA Bypass by Unprotected Backup Code Retrieval in Accounts Center
Auth Bypass2FA / MFA bypass
How 1 Exposed Honeywell API Gave us Control Over an Internal Engineering System
ReconMissing authentication

Built with ❤️ by Shubham Rawat