B83%
Quality Score
6
Pages
137
Issues
7.4
Avg Confidence
7.8
Avg Priority
42 Critical72 High23 Medium
>_ Testers.AI
AI Analysis
ASOS scored B (83%) with 137 issues across 7 tested pages, ranking #9 of 14 US retail sites. That's 32 more than the 105.1 category average (29th percentile).
Top issues to fix immediately: "Iframe Sandbox Bypass Vulnerability - allow-scripts and allow-same-ori" โ Remove either 'allow-scripts' or 'allow-same-origin' from iframe sandbox attributes; "Multiple DNS Resolution Failures - Critical Network Issue" โ 1) Verify all resource URLs in the application code for typos or incorrect domain names; "Adobe Audience Manager tracking request exposes organization ID and vi" โ 1) Implement a consent management platform (CMP) that blocks all Adobe tracking requests until explicit user consent ....
Weakest area โ accessibility (6/10): Potential concerns with color contrast in some areas, limited alt text visibility, and small font sizes in footer.
Quick wins: Improve color contrast ratios throughout, especially in text overlays on images, to meet WCAG AA standards. Add descriptive alt text to all product images and clarify link purposes for screen reader users.
Qualitative Quality
ASOS
Category Avg
Best in Category
Pages Tested ยท 6 screenshots
Homepage
asos.com
asos.com
asos.com
asos.com
asos.com
Detected Issues ยท 137 total
1
Iframe Sandbox Bypass Vulnerability - allow-scripts and allow-same-origin Combined
CRIT P10
Prompt to Fix
SECURITY ISSUE: Multiple iframes on this page have BOTH 'allow-scripts' AND 'allow-same-origin' in their sandbox attribute. This is a critical vulnerability that allows iframe sandbox escape. The browser is warning about this in console logs. Find all iframe elements with sandbox attributes containing both these permissions. Remove 'allow-same-origin' if script execution is needed, OR remove 'allow-scripts' if same-origin access is required. Never combine these two permissions. If cross-origin communication is needed, implement secure postMessage handlers instead. Test that the application still functions correctly after removing the dangerous permission combination.
Why it's a bug
The console warns multiple times that iframes have both 'allow-scripts' and 'allow-same-origin' sandbox attributes simultaneously. This combination is a CRITICAL security vulnerability because it allows the iframe to escape its sandbox and access the parent page's DOM, cookies, localStorage, and execute arbitrary code with full privileges. This directly enables XSS attacks, session hijacking, and data theft from the parent application.
Why it might not be a bug
None. This is a well-documented security flaw that product teams must address immediately.
Suggested Fix
Remove either 'allow-scripts' or 'allow-same-origin' from iframe sandbox attributes. If script execution is required, do NOT grant same-origin access. If same-origin access is needed, do NOT allow scripts. Use postMessage API for secure cross-origin communication instead of combining these dangerous permissions.
Why Fix
This vulnerability directly enables attackers to break out of iframe isolation, compromise user sessions, steal sensitive data, and inject malicious code. It represents a critical breach of the security model that iframes are supposed to provide.
Route To
Security Engineer / Frontend Security Lead
Page
Tester
Sharon ยท Security Console Log Analyzer2
Sandbox Escape Vulnerability: iframe with Both allow-scripts and allow-same-origin Attributes
CRIT P9
Prompt to Fix
The application has a critical sandbox escape vulnerability: an iframe element has both 'allow-scripts' and 'allow-same-origin' sandbox attributes simultaneously. This combination allows malicious scripts to escape the sandbox and access the parent window, enabling XSS attacks and data theft. Find the iframe element in the code and remove the 'allow-same-origin' attribute. If cross-origin communication is needed, replace direct access with postMessage API calls for secure parent-child window communication. Provide the corrected iframe HTML with appropriate sandbox restrictions and example postMessage code if needed.
Why it's a bug
The console warning explicitly states: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.' This is a critical security vulnerability commonly found in AI-generated code where developers add sandbox attributes without understanding the security implications. The combination of allow-scripts + allow-same-origin allows injected scripts to access the parent window and bypass origin restrictions, enabling XSS and data theft attacks.
Why it might not be a bug
If the iframe content is fully trusted and generated internally, this might be acceptable. However, best practice security requires minimizing iframe permissions regardless of trust level.
Suggested Fix
Remove either allow-same-origin or allow-scripts from the iframe sandbox attribute. If both permissions are truly needed, isolate the iframe in a separate origin. Use a more restrictive sandbox attribute like: sandbox='allow-scripts allow-popups allow-forms' without allow-same-origin. If same-origin access is required, use postMessage API for communication instead.
Why Fix
This vulnerability allows attackers to escape the iframe sandbox and access sensitive parent window data, execute malicious scripts in the parent context, or perform unauthorized actions. This is a critical security issue that must be fixed immediately.
Route To
Security Engineer / Frontend Security Specialist
Page
Tester
Jason ยท GenAI Code AnalyzerTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.3
Iframe Sandbox Escape Vulnerability
CRIT P9
Prompt to Fix
Fix the iframe sandbox escape vulnerability. Find all iframe elements with sandbox attributes containing both 'allow-scripts' and 'allow-same-origin'. Remove one of these attributes (typically allow-same-origin if scripts are needed) to prevent sandbox escape. If both capabilities are required, refactor to use postMessage API for secure cross-origin communication instead. Test that functionality still works after removing the redundant attribute.
Why it's a bug
The browser warning explicitly states: 'An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.' This is a documented security vulnerability. Having both allow-scripts AND allow-same-origin together defeats the entire purpose of the sandbox attribute, creating a significant security risk where the iframe can access the parent window's context, bypass same-origin policy, and execute arbitrary code with elevated privileges.
Why it might not be a bug
This is a direct security warning from the browser itself - it is definitively a bug, not a false positive.
Suggested Fix
Remove either allow-scripts or allow-same-origin from the iframe's sandbox attribute. If the iframe needs to execute scripts, remove allow-same-origin. If it needs same-origin access, remove allow-scripts. Use the principle of least privilege and grant only the minimum permissions necessary. If both are needed, use a different communication mechanism (postMessage API) instead of relying on sandbox bypass.
Why Fix
This is a critical security vulnerability that could allow an iframe to escape its sandbox and compromise the security of the entire application and user data.
Route To
Security Engineer, Frontend Engineer
Page
Tester
Sharon ยท Security TesterTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.