Welcome to Broken Browser

One line of HTML fires a real HTTP request in current Chrome. The request reaches the server. It does not appear in DevTools' Network tab. It emits no CSP violation event. Nothing in report-uri...

If you read the previous post about detecting Edge extensions, you already know the general idea: extensions expose resources at predictable URLs, and a page can try to load them to figure out what...

Not a vulnerability — just something I stumbled onto while poking at WebAssembly. One line of JavaScript on a page that has no special headers gives you a working SharedArrayBuffer, and from there...

Hello fellow bug hunter! Today we are going back to Internet Explorer which despite getting old, tons people still use it. I am much happier with MSRC lately, they are really moving forward regarding...

Today we are going to steal Twitter and Facebook credentials from the user. The previous two SOP bypasses [[1]](../2017-04-17-sop-bypass-abusing-read-protocol/)...

Watch the 2 minutes exploit video where we manually tweet as if we were Charles Darwin, and get his password (thanks to the default password manager of Microsoft Edge). If you are out of time, watch...

The Microsoft Edge team recently tweeted about the reading mode, a feature that removes the clutter from webpages to read without distractions. It was not new to me, I learned about it when I was...

Attackers love being able to fingerprint their victims. We've seen in the past two techniques that allowed attackers to detect the presence of particular files (to evade analysts) and even get the...

Last year we explored the domainless blank technique to create UXSS/SOP bypasses on both Microsoft Edge and Internet Explorer. The Edge version has been recently patched but unfortunately the fix...

Last year we've been playing with a very simple method to spoof the referrer on Edge, which allowed us of course to spoof the referrer and -as a bonus- other neat things like bypass the XSS filter.

A few months ago we've been playing with domainless about:blank pages on Edge. Essentially, a powerful about:blank document was capable of accessing every domain without restrictions. It was recently...

Yesterday, Microsoft pushed a gigantic update where tons of security bugs were fortunately killed, including most ones from this website. Kudos, big kudos to the Edge developers and everyone involved...

In our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have...

Today we are going to explore a feature that has been present on Internet Explorer almost since its inception. A feature that allows web-developers to instantiate external objects, and because of...

Today we are going to walk around a few design issues that, when used together, will end up in a full SOP bypass or Universal Cross Site Scripting (UXSS) on Microsoft Edge. If you are not a security...

Update: this bug was patched on 2017-03-14 but we found a bypass the same day. Here it is: Bypassing the patch to continue spoofing the address bar and the Malware Warning.

On October 25th, the fellows @MSEdgeDev twitted a link that called my attention because when I clicked on it (being on Chrome) the Windows Store App opened. It might not surprise you, but it...

There are no doubts that the web is moving forward to HTTPS (secure) content. Most important names have today their certificates ready and their websites are in effect, secure. But have you ever...

Last month we've been looking at how attackers were targeting unsavvy users by checking the associated mimeTypes to applications on the system. If the PC had analyst tools installed, something...

Hello fellow bug hunter!

As we know, all browsers impose several restrictions when trying to access resources from different origins. Of course we can play music and render images coming from different domains but thanks to...

With the help of a beautiful piece of code, malware authors can detect installed applications straight from within the browser and serve the bad bits only to unsavvy users. In other words, attackers...

According to Wikipedia, "Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page...

Hello fellow bug hunter!

Both Microsoft Edge and Internet Explorer suffer from navigation problems, failing to keep up with the most updated history information. A framed navigation confuses these browsers and what seems to...

This one surprised me. By combining createPopup with an onbeforeunload handler, a page could learn the exact URL the user typed in the address bar the moment they pressed Enter — before the browser...

Calling history.pushState to change the displayed URL to a redirect page, then having the user save the page with Ctrl+S, caused IE to save the redirect's destination — not the current page content —...

Inserting an iFrame pointing to a server-redirect page, caching a reference to top from inside the iFrame's setTimeout, and then assigning a javascript: URL to the iFrame's contentWindow.location...

Calling ExecWB with the optical zoom command ID and persistence flag from a hidden iFrame set the browser's zoom to 10% — persistently, across all tabs and even after closing and reopening the...

Loading a local zip file twice in an iFrame using the mhtml: protocol caused IE to render the zip's contents as browsable files — and if the zip contained executables placed inside a subfolder,...

A streamlined variant of the htmlFile about:blank UXSS — no new windows or server redirects needed. Loading a target site in an iFrame, navigating its nested iFrame to about:blank via a meta-refresh...

Caching the open method from an iFrame's window object and then navigating away preserved a reference that could load arbitrary content into that invisible iFrame regardless of where the user browsed...

Creating an <object type="text/html"> element via createElement (without appending it to the DOM), navigating the main page away, and then calling createPopup on the object's window kept a...

This was a two-stage UXSS. The first bug: a page running in docMode 8 with an empty <script language="xml"> tag had its window.open method accessible even after navigating to a URL protected by...

Setting <base href> to a local path (c:\) bypassed IE's pop-up blocker entirely. Windows opened via window.open after a setTimeout — which should have been blocked as unsolicited pop-ups — were...

Setting a <base href> to a local file:// path and then calling window.open with a relative filename opened the local file in a new tab running at Medium integrity — not the Low integrity level that...

The iFrame variant of the base href UXSS: loading a cross-origin URL inside a named iFrame and then calling window.open("javascript:...", iFrameName) executed the script in that iFrame's security...

Setting a <base href> to a target origin and then opening a javascript: URL into a named window that held a page from that origin executed the script in the target's security context. The base href...

A simpler variant of the pop-up origin spoof: placing a <base href> pointing to a trusted domain and then calling window.open() caused the IE info bar to display that trusted domain as the source of...

Calling document.execCommand("EditMode") from inside an HTC behavior file crashed IE11 with a null read in MSHTML!COmWindowProxy::Markup. Classified PROBABLY_NOT_EXPLOITABLE.

Flash's getURL method allowed navigation of named frames in any open window — including cross-origin iFrames in other tabs. Sites that embedded third-party content in named iFrames (which was nearly...

Loading a Windows Media Player <object> inside a createPopup document and hiding the popup during the same load cycle caused a null read in MSHTML!CFakeUIWindow::SetBorderSpace. Classified...

Calling the WMP launchURL method repeatedly from a cross-origin iFrame crashed IE11 with a null read in MSHTML!CElement::IsFullScreenAvailable. Classified PROBABLY_NOT_EXPLOITABLE, this appeared to...

When IE blocks a pop-up, it displays an info bar that names the originating site — for example, "IE blocked a pop-up from evil.com". The intent is to let users make an informed decision about whether...

Rapidly alternating an iFrame between an RSS XML file and about:blank at 100ms intervals crashed IE11 in IEFRAME!CFeedViewer::_HandleZoomChange. The crash was classified PROBABLY_EXPLOITABLE — the...

Caching a reference to document.images from a newly opened window, then accessing an element from that collection after the window redirected to a new page, caused a crash in...

A companion to the ACCESS_DENIED exception method: in IE, typeof applied to a cross-origin iFrame property returns "unknown" when the property exists (because the engine recognizes it but can't...

In IE's document compatibility mode 8, accessing a property on a cross-origin iFrame's window normally throws an ACCESS_DENIED exception — but only when the property actually exists. When the...

This one surprised me. By overriding the removeAttribute method on a specific image element and then triggering execCommand("InsertImage"), code could be executed in the context of the res:// domain...

This was a simplified variant of the modelessDialog external-object UXSS. Rather than using the external object, it stored the iFrame's document directly in window.returnValue — a property that...