Today we are going to walk around a few design issues that, when used together, will end up in a full SOP bypass or Universal Cross Site Scripting (UXSS) on Microsoft Edge. If you are not a security researcher but you still …
Read More »Yearly Archives: 2016
Spoofing the address bar and the SmartScreen/Malware Warning (Edge)
Update: this bug was patched on 2017-03-14 but we found a bypass the same day. Here it is: Bypassing the patch to continue spoofing the address bar and the Malware Warning. Over the last few months, we’ve seen a proliferation of …
Read More »Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox and Open Popups (Edge)
On October 25th, the fellows @MSEdgeDev twitted a link that called my attention because when I clicked on it (being on Chrome) the Windows Store App opened. It might not surprise you, but it surprised me! As far as I remembered, …
Read More »Bypassing Mixed Content Warnings – Loading Insecure Content in Secure Pages (Edge/IE)
There are no doubts that the web is moving forward to HTTPS (secure) content. Most important names have today their certificates ready and their websites are in effect, secure. But have you ever wandered: secure to what extent? It’s clear …
Read More »Detecting Local Files to Evade Analysts (IE)
Last month we’ve been looking at how attackers were targeting unsavvy users by checking the associated mimeTypes to applications on the system. If the PC had analyst tools installed, something detected from withing the browser, then the malware refused to …
Read More »On Patching Security Bugs
Hello fellow bug hunter! I want to share with you my thoughts on a slight change that the folks at Microsoft could embrace to make security better. This change, in my opinion, will make the security process more transparent for all, attracting bug …
Read More »Workers SOP Bypass importScripts and baseHref (Edge/IE)
As we know, all browsers impose several restrictions when trying to access resources from different origins. Of course we can play music and render images coming from different domains but thanks to the Same Origin Policy, we will not be able to read …
Read More »Detecting analysts before installing the malware (IE)
With the help of a beautiful piece of code, malware authors can detect installed applications straight from within the browser and serve the bad bits only to unsavvy users. In other words, attackers target regular users by detecting specific analysts applications (like Fiddler) and serving …
Read More »Referer spoofing and defeating the XSS filter (Edge/IE)
According to Wikipedia, “Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.” In other words, making …
Read More »CSS History Leak or “I know where you’ve been” (Edge)
Hello fellow bug hunter! I’ve been thinking this morning on the classic trick originally discovered by Jeremiah Grossman back in 2006, where you could find out which sites were visited by the user. If you are not familiar with this beauty, I recommend you …
Read More »Grabbing data from Inputs and Textareas (Edge/IE)
Both Microsoft Edge and Internet Explorer suffer from navigation problems, failing to keep up with the most updated history information. A framed navigation confuses these browsers and what seems to be a naive functionality problem ends up being a security bug: information disclosure across …
Read More »