Home / 2017 / February

Monthly Archives: February 2017

The Attack of the Alerts and the Zombie Script

In our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have you tried anything? If yes, congratulations. The only way to find bugs is by trying, and today we …

Read More »

SOP bypass / UXSS on IE11 htmlFile

Today we are going to explore a feature that has been present on Internet Explorer almost since its inception. A feature that allows web-developers to instantiate external objects, and because of that it was abused ad-nauseum by attackers. Do you guess which feature are we talking about? The ActiveXObject. Even …

Read More »