Home / Information Disclosure

Information Disclosure

SOP bypass/ UXSS on IE – More Adventures in a Domainless World

A few months ago we’ve been playing with domainless about:blank pages on Edge. Essentially, a powerful about:blank document was capable of accessing every domain without restrictions. It was recently patched as CVE-2017-0002 so it does not work anymore. The same thing happens with the ActiveXObject/htmlFile (from now on, htmlFile) which was patched last week as CVE-2017-0154. …

Read More »

SOP bypass / UXSS on IE11 htmlFile

Today we are going to explore a feature that has been present on Internet Explorer almost since its inception. A feature that allows web-developers to instantiate external objects, and because of that it was abused ad-nauseum by attackers. Do you guess which feature are we talking about? The ActiveXObject. Even …

Read More »

SOP bypass / UXSS on Microsoft Edge – Adventures in a Domainless World

Today we are going to walk around a few design issues that, when used together, will end up in a full SOP bypass or Universal Cross Site Scripting (UXSS) on Microsoft Edge. If you are not a security researcher but you still want to understand this vulnerability, think about it this way: …

Read More »

Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox, Open Popups and more

On October 25th, the fellows @MSEdgeDev twitted a link that called my attention because when I clicked on it (being on Chrome) the Windows Store App opened. It might not surprise you, but it surprised me! As far as I remembered, Chrome had this healthy habit of asking the user before opening external …

Read More »

Detecting Local Files to Evade Analysts

Last month we’ve been looking at how attackers were targeting unsavvy users by checking the associated mimeTypes to applications on the system. If the PC had analyst tools installed, something detected from withing the browser, then the malware refused to download the bad bits staying below the radars for a …

Read More »

Workers SOP Bypass importScripts and baseHref

As we know, all browsers impose several restrictions when trying to access resources from different origins. Of course we can play music and render images coming from different domains but thanks to the Same Origin Policy, we will not be able to read the content of those resources. For example, we can draw …

Read More »

Detecting analysts before installing the malware

With the help of a beautiful piece of code, malware authors can detect installed applications straight from within the browser and serve the bad bits only to unsavvy users. In other words, attackers target regular users by detecting specific analysts applications (like Fiddler) and serving their harmful program to users that do not have those apps …

Read More »

CSS History Leak or “I know where you’ve been”

Hello fellow bug hunter! I’ve been thinking this morning on the classic trick originally discovered by Jeremiah Grossman back in 2006, where you could find out which sites were visited by the user. If you are not familiar with this beauty, I recommend you reading his original post. I will do my best to quickly …

Read More »

Grabbing data from Inputs and Textareas

Both Microsoft Edge and Internet Explorer suffer from navigation problems, failing to keep up with the most updated history information. A framed navigation confuses these browsers and what seems to be a naive functionality problem ends up being a security bug: information disclosure across origins. Let’s first examine the functionality problem by building a …

Read More »