iframe sandbox

[arnaldo-rastani]

Hi!
I've been struggling to escape the iframe sandbox. It seems that it can't be undone. I believe it also involves windows.location at some level. No matter what I do (rewrite DOM, change values), it does not seem to work. The values can be changed using javascript replace function, but the page won't work afterwards. So the iframe must be manipulated before loading.
This is the code that's killing me:

<iframe src="https://www.google.com/recaptcha/api2/anchor?ar=1&amp;k=XXX&amp;co=XXX&amp;hl=en&amp;v=v1560753160450&amp;size=normal&amp;cb=ly6d3pq1fuk4" width="304" height="78" role="presentation" name="a-gj16nmeghwr" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"></iframe>

Does anybody know a workaround? Maybe some tips? I would really appreciate it.

[ohpe]

Why don't you try to remove the sandbox attribute?

[jaredxx1]

It does not work. I think it's because recaptcha__en.js (https://www.gstatic.com/recaptcha/api2/v1565591531251/recaptcha__en.js) has a function which reads the url from the address bar. It's an invisible recaptcha which shows after 5th wrong input attempt. Search for window.location inside recaptcha__en.js. It's the third occurrence. I've tried multiple solutions like replacing the "co" parameter value with the original one using javascript injection. Because "co" is basically "https://www.target.com:443" in base64. I've also tried to download and replace the "window.location.href" with the target website. None worked. I wonder how can I trick this one to think as I am on the real website. Any thoughts?

[ohpe]

Did you enable the base64 option in the config?

"transform": {
 "base64": {
 "enabled": true,
 "padding": [
 "=",
 "."
 ]
 },

[jaredxx1]

Yes, base64 option is enabled.