Security Test - Page Hijack

Collector Log

Payloads in the Live Output column run automatically in sandboxed iframes. Fetch and beacon calls appear here (auto-refreshes every 2 s).

Waiting for hits…
Page Hijack Security Test Cases
Case Name Payload Expected Behavior Live Output
C1 window.location redirect 
<script>window.location='/collect/redirected'</script>
 Crawler output should not redirect the user when displayed.
C2 Meta refresh redirect 
<meta http-equiv="refresh" content="0;url=/collect/meta-refresh">
 Crawler output should not create an active meta refresh tag.
C3 Replace page with fake login form 
<script>document.body.innerHTML='<form action="/collect/login"><input name="email"><input name="password" type="password"><button>Sign in</button></form>'</script>
 Crawler output should not allow script text to replace the host page.

Back to crawl test home