B-81%
Quality Score
10
Pages
147
Issues
8.2
Avg Confidence
8.1
Avg Priority
78 Critical55 High14 Medium
>_ Testers.AI
AI Analysis
PayPal scored B- (81%) with 147 issues across 8 tested pages, ranking #7 of 8 Testlio portfolio apps. That's 52 fewer than the 199.2 category average (62nd percentile).
Top issues to fix immediately: "Iframe sandbox misconfiguration can escape sandbox (allow-scripts + al" โ Inspect all iframes with sandbox attributes; "Page renders with no visible content (blank screen)" โ Ensure the main content renders reliably on load; "Network resource load failed due to DNS resolution (ERR_NAME_NOT_RESOL" โ Identify the resource URL(s) triggering ERR_NAME_NOT_RESOLVED from the network log, verify DNS configuration and host....
Weakest area โ usability (2/10): No apparent actions or navigation; user can't identify next steps.
Quick wins: Reload with a visible hero section, navigation, and primary CTAs to establish trust and direction. Ensure core actions (Sign Up, Log In, Help) are visible above the fold and responsive.
Qualitative Quality
PayPal
Category Avg
Best in Category
Pages Tested ยท 10 screenshots
Homepage
www.paypal.com
www.paypal.com
www.paypal.com
www.paypal.com
www.paypal.com
www.paypal.com
www.paypal.com
www.paypal.com
www.paypal.com
Detected Issues ยท 147 total
1
Iframe sandbox misconfiguration can escape sandbox (allow-scripts + allow-same-origin)
CRIT P9
Prompt to Fix
Identify all iframes on the page that use a sandbox attribute including both allow-scripts and allow-same-origin. For each instance, remove one of these allowances or migrate to a stricter sandbox (e.g., sandbox without allow-scripts). If script execution within the iframe is required, implement secure cross-origin messaging (postMessage) and a strict origin policy. Add and validate a Content Security Policy (CSP) to further restrict iframe resources. Test across major browsers to ensure no sandbox-escape warnings persist.
Why it's a bug
The console warns that an iframe with both allow-scripts and allow-same-origin in its sandbox attribute can escape the sandbox. This configuration can permit untrusted embedded content to run scripts and access the parent origin, enabling cross-origin attacks such as XSS or data leakage.
Why it might not be a bug
If the page intentionally requires this exact combination for a trusted, isolated use case, the warning might be a false positive. However, given the general risk, it should still be reviewed and confirmed by a security engineer.
Suggested Fix
Inspect all iframes with sandbox attributes. Remove either allow-scripts or allow-same-origin if not necessary. Prefer strict sandbox usage (e.g., sandbox without allow-scripts) and avoid enabling script execution from embedded content. If cross-origin communication is needed, implement secure postMessage patterns and restrict origins. Additionally, enforce a robust Content Security Policy (CSP) to limit resources loaded by iframes.
Why Fix
Correctly configuring iframe sandbox reduces the risk of sandbox escape, cross-origin data leakage, and potential XSS vectors, strengthening the app's defense-in-depth.
Route To
Frontend Security Engineer / Web Platform Security
Page
Tester
Sharon ยท Security Console Log AnalyzerTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.2
Iframe sandbox misconfiguration: allow-scripts with allow-same-origin can escape sandboxing
CRIT P9
Prompt to Fix
Update HTML markup to adjust the iframe sandbox attribute: remove either allow-scripts or allow-same-origin (or both, if not required). Example: <iframe src="..." sandbox="allow-scripts"> or sandbox="" to disable scripting. If cross-origin features are required, implement secure postMessage communication and restrict allowed origins. Review all iframes and ensure third-party content is loaded in a strictly sandboxed context.
Why it's a bug
Warning indicates the iframe sandbox attribute includes both allow-scripts and allow-same-origin. This combination can weaken the sandbox and allow scripts from the iframe to interact with the origin, increasing risk of XSS/data leakage.
Why it might not be a bug
If the iframe content is fully trusted and necessary for functionality, developers may accept relaxed sandbox settings. However, safer defaults are generally recommended.
Suggested Fix
Review all iframes with sandbox attributes. Remove allow-scripts or allow-same-origin to enforce stricter sandboxing. If cross-origin messaging is required, implement secure postMessage communication and restrict allowed origins. Validate iframe content source and ensure third-party content is loaded in a restricted, sandboxed context.
Why Fix
Weak sandboxing can enable cross-origin script execution and data exfiltration. Tightening iframe sandbox mitigates potential XSS and data leakage, improving overall security.
Route To
Frontend Security Engineer / Web Platform Engineer
Page
Tester
Sharon ยท Security TesterTechnical Evidence
Console:
[WARN] An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.3
Sensitive Datadog RUM API key exposed in network request URL
CRIT P9
Prompt to Fix
Please remove the dd-api-key from the Datadog RUM POST URL. Implement authorization with a header token (Authorization: Bearer <token>) or a short-lived API key in a secure header. Ensure no secrets travel in query parameters. Review and rotate keys, enable data minimization for telemetry, and implement auditing to prevent secret leakage in client-side network calls.
Why it's a bug
The browser sends a Datadog Real User Monitoring (RUM) payload to a third-party Datadog intake endpoint including the dd-api-key in the URL. Exposing API keys in URLs can be logged by intermediaries, browser history, and network monitoring tools, enabling misuse and unauthorized data ingestion by third parties. This leaks credentials and secret tokens, violating data protection expectations and potentially exposing user telemetry to outsiders.
Why it might not be a bug
Some services use API keys in URLs for simplicity or are using a public test key. However, exposing keys in URL is a known security risk and can be captured in logs, history, or referer headers. Even if intended as a test key, best practices require not exposing credentials in URLs.
Suggested Fix
Remove API key from the URL and transmit authentication secrets via HTTP headers or a short-lived, scoped token. Use Authorization: Bearer <token> or X-Datadog-apikey header, ensure the token has limited scope and TTL. Do not log or expose keys in query parameters. Audit Datadog RUM integration configuration and rotate/revoke any compromised keys. Consider server-side relay for telemetry with minimal data.
Why Fix
Prevent credential leakage and unauthorized use of the Datadog RUM ingestion endpoint, improving user privacy and reducing risk of data exfiltration. Aligns with secure-by-default data collection practices and reduces exposure in browser histories and network logs.
Route To
Security Engineer
Page
Tester
Pete ยท Privacy Networking AnalyzerTechnical Evidence
Console:
POST https://browser-intake-us5-datadoghq.com/api/v2/rum?ddsource=browser&ddtags=sdk_version%3A5.35.1%2Capi%3Afetch%2Cenv%3Aproduction%2Cservice%3Appcmsnodeweb%2Cversion%3A2.63.0&dd-api-key=pubc2ea00ebdaf6a0f6395d8d4d458f2802&dd-evp-origin-version=5.35.1&dd-evp-origin=browser&dd-request-id=6d46fdf2-cb19-4843-9641-870e2983ebf1&batch_time=1773787124859Network:
POST https://browser-intake-us5-datadoghq.com/api/v2/rum?ddsource=browser&ddtags=sdk_version%3A5.35.1%2Capi%3Afetch%2Cenv%3Aproduction%2Cservice%3Appcmsnodeweb%2Cversion%3A2.63.0&dd-api-key=pubc2ea00ebdaf6a0f6395d8d4d458f2802&dd-evp-origin-version=5.35.1&dd-evp-origin=browser&dd-request-id=6d46fdf2-cb19-4843-9641-870e2983ebf1&batch_time=1773787124859