Welcome to Broken Browser

If you read the previous post about detecting Edge extensions, you already know the general idea: extensions expose resources at predictable URLs, and a page can try to load them to figure out what...

Not a vulnerability — just something I stumbled onto while poking at WebAssembly. One line of JavaScript on a page that has no special headers gives you a working SharedArrayBuffer, and from there...

Hello fellow bug hunter! Today we are going back to Internet Explorer which despite getting old, tons people still use it. I am much happier with MSRC lately, they are really moving forward regarding...

Today we are going to steal Twitter and Facebook credentials from the user. The previous two SOP bypasses [[1]](../2017-04-17-sop-bypass-abusing-read-protocol/)...

Watch the 2 minutes exploit video where we manually tweet as if we were Charles Darwin, and get his password (thanks to the default password manager of Microsoft Edge). If you are out of time, watch...

The Microsoft Edge team recently tweeted about the reading mode, a feature that removes the clutter from webpages to read without distractions. It was not new to me, I learned about it when I was...

Attackers love being able to fingerprint their victims. We've seen in the past two techniques that allowed attackers to detect the presence of particular files (to evade analysts) and even get the...

Last year we explored the domainless blank technique to create UXSS/SOP bypasses on both Microsoft Edge and Internet Explorer. The Edge version has been recently patched but unfortunately the fix...

Last year we've been playing with a very simple method to spoof the referrer on Edge, which allowed us of course to spoof the referrer and -as a bonus- other neat things like bypass the XSS filter.

A few months ago we've been playing with domainless about:blank pages on Edge. Essentially, a powerful about:blank document was capable of accessing every domain without restrictions. It was recently...

Yesterday, Microsoft pushed a gigantic update where tons of security bugs were fortunately killed, including most ones from this website. Kudos, big kudos to the Edge developers and everyone involved...

In our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have...

Today we are going to explore a feature that has been present on Internet Explorer almost since its inception. A feature that allows web-developers to instantiate external objects, and because of...

Today we are going to walk around a few design issues that, when used together, will end up in a full SOP bypass or Universal Cross Site Scripting (UXSS) on Microsoft Edge. If you are not a security...

Update: this bug was patched on 2017-03-14 but we found a bypass the same day. Here it is: Bypassing the patch to continue spoofing the address bar and the Malware Warning.

On October 25th, the fellows @MSEdgeDev twitted a link that called my attention because when I clicked on it (being on Chrome) the Windows Store App opened. It might not surprise you, but it...

There are no doubts that the web is moving forward to HTTPS (secure) content. Most important names have today their certificates ready and their websites are in effect, secure. But have you ever...

Last month we've been looking at how attackers were targeting unsavvy users by checking the associated mimeTypes to applications on the system. If the PC had analyst tools installed, something...

Hello fellow bug hunter!

As we know, all browsers impose several restrictions when trying to access resources from different origins. Of course we can play music and render images coming from different domains but thanks to...

With the help of a beautiful piece of code, malware authors can detect installed applications straight from within the browser and serve the bad bits only to unsavvy users. In other words, attackers...

According to Wikipedia, "Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page...

Hello fellow bug hunter!

Both Microsoft Edge and Internet Explorer suffer from navigation problems, failing to keep up with the most updated history information. A framed navigation confuses these browsers and what seems to...

This one surprised me. By combining createPopup with an onbeforeunload handler, a page could learn the exact URL the user typed in the address bar the moment they pressed Enter — before the browser...

Calling history.pushState to change the displayed URL to a redirect page, then having the user save the page with Ctrl+S, caused IE to save the redirect's destination — not the current page content —...

Inserting an iFrame pointing to a server-redirect page, caching a reference to top from inside the iFrame's setTimeout, and then assigning a javascript: URL to the iFrame's contentWindow.location...

Calling ExecWB with the optical zoom command ID and persistence flag from a hidden iFrame set the browser's zoom to 10% — persistently, across all tabs and even after closing and reopening the...

Loading a local zip file twice in an iFrame using the mhtml: protocol caused IE to render the zip's contents as browsable files — and if the zip contained executables placed inside a subfolder,...

A streamlined variant of the htmlFile about:blank UXSS — no new windows or server redirects needed. Loading a target site in an iFrame, navigating its nested iFrame to about:blank via a meta-refresh...

Caching the open method from an iFrame's window object and then navigating away preserved a reference that could load arbitrary content into that invisible iFrame regardless of where the user browsed...

Creating an <object type="text/html"> element via createElement (without appending it to the DOM), navigating the main page away, and then calling createPopup on the object's window kept a...

This was a two-stage UXSS. The first bug: a page running in docMode 8 with an empty <script language="xml"> tag had its window.open method accessible even after navigating to a URL protected by...

Setting <base href> to a local path (c:\) bypassed IE's pop-up blocker entirely. Windows opened via window.open after a setTimeout — which should have been blocked as unsolicited pop-ups — were...

Setting a <base href> to a local file:// path and then calling window.open with a relative filename opened the local file in a new tab running at Medium integrity — not the Low integrity level that...

The iFrame variant of the base href UXSS: loading a cross-origin URL inside a named iFrame and then calling window.open("javascript:...", iFrameName) executed the script in that iFrame's security...

Setting a <base href> to a target origin and then opening a javascript: URL into a named window that held a page from that origin executed the script in the target's security context. The base href...

A simpler variant of the pop-up origin spoof: placing a <base href> pointing to a trusted domain and then calling window.open() caused the IE info bar to display that trusted domain as the source of...

Calling document.execCommand("EditMode") from inside an HTC behavior file crashed IE11 with a null read in MSHTML!COmWindowProxy::Markup. Classified PROBABLY_NOT_EXPLOITABLE.

Flash's getURL method allowed navigation of named frames in any open window — including cross-origin iFrames in other tabs. Sites that embedded third-party content in named iFrames (which was nearly...

Loading a Windows Media Player <object> inside a createPopup document and hiding the popup during the same load cycle caused a null read in MSHTML!CFakeUIWindow::SetBorderSpace. Classified...

Calling the WMP launchURL method repeatedly from a cross-origin iFrame crashed IE11 with a null read in MSHTML!CElement::IsFullScreenAvailable. Classified PROBABLY_NOT_EXPLOITABLE, this appeared to...

When IE blocks a pop-up, it displays an info bar that names the originating site — for example, "IE blocked a pop-up from evil.com". The intent is to let users make an informed decision about whether...

Rapidly alternating an iFrame between an RSS XML file and about:blank at 100ms intervals crashed IE11 in IEFRAME!CFeedViewer::_HandleZoomChange. The crash was classified PROBABLY_EXPLOITABLE — the...

Caching a reference to document.images from a newly opened window, then accessing an element from that collection after the window redirected to a new page, caused a crash in...

A companion to the ACCESS_DENIED exception method: in IE, typeof applied to a cross-origin iFrame property returns "unknown" when the property exists (because the engine recognizes it but can't...

In IE's document compatibility mode 8, accessing a property on a cross-origin iFrame's window normally throws an ACCESS_DENIED exception — but only when the property actually exists. When the...

This one surprised me. By overriding the removeAttribute method on a specific image element and then triggering execCommand("InsertImage"), code could be executed in the context of the res:// domain...

This was a simplified variant of the modelessDialog external-object UXSS. Rather than using the external object, it stored the iFrame's document directly in window.returnValue — a property that...

Another variation on the htmlFile pop-up blocker bypass, this time using a destroyed iFrame's ActiveX object as the carrier. Creating the htmlFile inside an iFrame and then navigating the iFrame away...

Combining createPopup and setCapture produced a clean clickjacking setup. The popup appeared over the target iFrame as a visible overlay, but because setCapture redirected mouse input to the main...

A brief crash report. Calling open() and close() on a document created either by document.implementation.createHTMLDocument() or obtained as an XHR responseType="document" caused a null pointer...

This one surprised me. MSXML's XSLT <xsl:script> block ran with the origin of the page's <base href>, not the actual page origin. By setting a <base href> to a target domain and embedding script in a...

I was lucky to find this one while testing the HTML5 sandbox implementation. IE11 had a list of default accelerator URLs — like bing.com and live.com — that were treated as trusted redirectors....

This one combined several of the techniques I had been exploring — a cached iFrame open reference, a background navigation, and a createPopup — into a persistent in-tab keylogger. The popup would...

This variant used an htmlFile ActiveX object to keep script alive across navigations in a new tab. A helper page in the new tab created the htmlFile and saved a reference back to the opener, then...

This was a port of an earlier UXSS chain (originally found on IE10) updated to reproduce on IE11 RTM. The technique used a server-side redirect, a cached ActiveXObject reference, and a domainless...

This variation on the resident-script theme used a Web Worker to stay alive across navigations. By spawning the Worker inside the onpagehide handler, the Worker thread kept running long after the...

After playing around for a while with how IE handles redirect chains inside iFrames, I found a way to fake the HTTP Referer header sent to a destination page. The technique could be used to fully...

A brief crash report. Saving a reference to an iFrame's Intl object and then navigating the iFrame to about:blank caused a null pointer dereference in jscript9!ArenaAllocator::AllocZero when the...

A brief crash report. Setting an iFrame's location to a mhtml: URL — including a bare mhtml: with no path — triggered an assertion failure in urlmon!CBSCHolder::RemoveNode, the same root cause as the...

A brief crash report. Opening a modeless dialog pointed at a server-side redirect and then immediately scheduling an alert inside that dialog produced an assertion failure in...

This one was a logic issue rather than a crash. When a sandboxed iFrame with allow-popups opened a new window and the user then typed a different URL in that new window's address bar, the new URL...

A brief crash report. Loading an MP3 file into a sandboxed iFrame triggered an assertion failure in urlmon!CINetHttp::LastRequestHandleClosed.

A brief crash report. Enabling designMode in an iFrame and then calling top.document.open() from that iFrame caused a null pointer dereference in MSHTML!CJScript9Holder::ClearHostObjects.

After playing around with showModelessDialog and its external property, I found that caching a reference to the dialog's external object before navigating it away allowed continued access to the...

A brief crash report. Navigating to any URL prefixed with the mhtml: protocol scheme crashed IE11 with an assertion failure in urlmon!CBSCHolder::RemoveNode.

A brief crash report. Opening a new window with RSS feed XML content and closing it immediately triggered an assertion failure in MSHTML!CDwnCrit::Enter.

A brief crash report, though this one was classified as PROBABLY_EXPLOITABLE. Loading an RSS feed XML in a named iframe and then calling window.open("about:blank", "iFrame") to retarget that frame...

This was one of the more involved UXSS chains I worked on. It combined a server-side redirect, a cached ActiveXObject reference, and a "domainless" about:blank window to ultimately execute script...

This variation on resident script execution used an HTML <object> element and an external window to keep a script context alive after the user navigated away. By holding a reference to the object's...

While playing around with createPopup again, a variation of an older pop-up blocker bypass surfaced. The trick involved instantiating an htmlFile ActiveX object inside a createPopup, destroying the...

After playing around with back-navigation timing, I found that a tab returning from a history.back() could display dialogs that appeared to originate from whatever tab had focus at the time —...

IE11 failed to hide createPopup windows when the user switched to a different tab. A popup created in one tab would remain visible over every other tab, allowing an attacker to overlay arbitrary...

A brief crash report. Reading the screenLeft property on a hidden createPopup's parentWindow caused a null pointer dereference in MSHTML!CInPlace::ClientToScreen.

By navigating to a URL that never responds (a server-side Thread.Sleep), and then letting the user type a new address, the browser would update the address bar to show the new URL while keeping the...

This one surprised me. Setting location inside onbeforeunload while the user simultaneously types a new URL in the address bar caused the entire browser window to close — and sometimes left an...

Similar in spirit to the onbeforeunload variant, this one used the onpagehide event on document.body to keep script running after the user had navigated away. Setting the handler on the body element...

IE11 introduced background navigation caching, which was meant to freeze and hide a page when the user navigated away. I was lucky to find that this freeze didn't apply to plugins running inside...

A brief crash report. Calling execCommand("CreateLink") on a text range that spanned both styled and unstyled text triggered a null pointer dereference in...

A brief crash report. Calling open() on a window object after it had already been closed caused IE11 to access a null pointer and crash the tab.

This one surprised me. By assigning any object (rather than a function) to window.onbeforeunload, and then using window.onunload for the real payload, script from the original page continued...

I was lucky to put together a set of JavaScript puzzle challenges for a BlueHat/BlackHat session. Each challenge explored a quirk or edge case in Internet Explorer that required creative thinking...

I was lucky to find this one while looking at how the F12 memory profiler initialized its console object. The vulnerable code in perftools/memory/remote.js wrote directly to realWindow.console, and a...

After playing around for a while with the F12 DOM Explorer, I found another spot where the tools consumed page-controlled data without proper isolation. This time the vulnerable line was in...

After playing around with IE's F12 developer tools for a while, I noticed that the DOM Explorer ran certain operations with elevated privileges. This one surprised me — by intercepting...

This one surprised me. While exploring how the F12 DOM Explorer stored selected elements, I realized that elements from cross-origin iframes were being placed into a shared array on the top window....

At the end of this research cycle I compiled a collection of variations on previously reported bugs — techniques that were close enough to existing MSRC cases to warrant documenting as related...

The F12 Developer Tools in IE used addEventListener on the host page's window to communicate with the inspected tab. If a page overrides window.addEventListener, it intercepts F12's communication and...

A sandboxed iFrame with only allow-popups should be able to open links in new tabs but the new window should remain sandboxed. On IE11 Blue build 9412, however, clicking a link from the sandboxed...

A broader penetration test of Windows 8 managed (WinRT/C#/XAML) apps, examining how web content handled by WebView controls interacted with the managed app layer. The findings were documented and...

In a Windows 8 WinJS app context, overriding the global eval method lets a hosted web page intercept calls the app framework makes internally — including the call used to retrieve...

A follow-up to the April batch review, covering four additional Windows Store apps with security findings. A companion document also tracked apps reviewed in previous cycles. The issues found were...

In April 2013 I completed a survey of Windows Store apps and identified twenty that had exploitable security issues. The findings covered a range of vulnerability classes common to the WinJS app...

Mixing document modes between a parent page (running in IE5/quirks) and an embedded <object type="text/html"> (running in IE10) creates a situation where the inner frame's history.pushState affects...

Inserting an iFrame whose src attribute is a javascript: URL that simultaneously destroys the iFrame and calls Object.getOwnPropertyNames(window) crashes the browser. The crash was classified...

When inside a search result page loaded via an OpenSearch provider with the preview pane enabled, the Trident instance runs with fewer restrictions than a normal web page. This unlocked three...

A CSS expression that throws a JavaScript error, combined with an onerror handler that writes a page reload script, creates an infinite loop that hangs the browser.

CSS expressions on visited links generate a different number of JavaScript errors than on unvisited ones. By counting errors via window.onerror and taking an average over repeated measurements, it is...

Saving a reference to a createRangeCollection() result before a redirect, then accessing the collection member's htmlText property after the redirect completes, gives access to the DOM of the...

The HTML5 sandbox attribute correctly blocks most attempts to change the URL of a sandboxed window from outside. One exception: external.NavigateAndFind, an older IE API, could change the URL of a...

Saving a reference to the getSelection() object of an iFrame before it redirects, along with any member of that object, keeps the selection live. After the redirect, accessing anchorNode on the saved...

After saving a createRange() reference from a new window and waiting for it to redirect, calling duplicate() on the cached range creates a new object bound to the redirected domain's context. Any...

HTML5 specifies that <input type="file"> should return C:\fakepath\filename instead of the real path, protecting user privacy. I found that calling createRangeCollection() on the selection after...

Accessing a cached element collection by numeric index after a redirect crashes the browser with EXPLOITABLE classification — EIP can be controlled by varying the number of elements added before the...

If you know the name of a form element on the target page, you can access that element's ownerDocument after a redirect by caching the forms collection before the redirect and then looking up the...

Throwing an alert during the ondragenter event prevents the user from closing the dialog, effectively freezing the browser. As a side effect, the dragged text remains rendered on top of all other...

Dragging selected text from one input box to another crashes the browser when document.open() is called in the ondragstart handler. The crash reproduced on IE10 Win8 with UNKNOWN exploitability.

Creating an <object type="text/html"> element and storing a self-referencing pointer from the object's window back to the element itself keeps the object alive even after the parent navigates away....

A simple UXSS using an iFrame that redirects to another domain: before the redirect completes, the parent injects an execScript into the iFrame that sets the iFrame's own location to a javascript:...

A cleaner version of the onreadystatechange spoof — this one works without needing a script error notification. Opening a new window that redirects to Bing, writing the document during...

The history.replaceState address bar spoof had been patched for IE10, but it still worked on IE11. What made this variation more interesting is that it turned a simple spoof into a UXSS: after...

Two nested htmlFile ActiveX objects created through a destroyed iFrame are enough to bypass the popup blocker without any user interaction. The key is that the second htmlFile's parentWindow.open...

A simpler variant of the earlier MHTML-based prompt bypass: placing an empty about:blank iFrame on the page and calling prompt through its window object produces the generic "Explorer User Prompt"...

By saving a reference to a DOMParser instance created in a new window before it redirects, and then calling parseFromString on that cached instance after the redirect, the resulting document ends up...

By saving a reference to document.links before a server redirect, then accessing a cached link element by property after the redirect completes, the browser crashes with EXPLOITABLE classification....

This is a refreshed version of the earlier childNodes thread bug, updated to work on IE10 and even the early IE11 builds at the time. The structure is the same — cache the childNodes collection,...

A brief crash in IE11 triggered by calling window.URL.createObjectURL on an empty blob. The exploitability was classified UNKNOWN at the time.

Opening a new window that server-redirects to Bing, and immediately calling location.reload() on it, causes the address bar of the new window to remain stuck on the original URL while Bing's content...

By saving a reference to the window.open method of an iFrame before destroying it through navigation, the cached reference stays valid and can be used to load pages into the destroyed iFrame's scope...

I called this the "SandboxHeadersParadox" because the UXSS actually required the target URL to be sandboxed via X-Content-Security-Policy headers — meaning the very security headers intended to...

With the help of VBScript's execScript, it is possible to probe for the existence of named variables in a cross-origin iFrame. If the variable exists, the error fires only inside the iFrame's...

This spoof works against users with the default IE setting that shows a notification for every script error. By opening a new window that server-redirects to Bing, and hooking onreadystatechange to...

On IE10 for Windows Phone 8, setting document.designMode = "On" on a page has a surprising side effect: scripts stop executing in that tab permanently, even after navigating to completely different...

When an MHTML file is loaded inside an iFrame, IE renders it using an embedded WebBrowser Control object. I found that setCapture on the parent document, combined with a click inside that control,...

This is a variation on the setCapture capture family that specifically uses MHTML to make the technique work in contexts where it otherwise would not. From inside any iFrame — even one on a...

Shortly after Windows 8 launched I examined several Windows Store apps that used the WinJS framework — specifically looking at document.execCommand, execUnsafeLocalFunction, setInnerHTMLUnsafe, and...

I spent some time looking at MSN Explorer during this period and collected a set of findings in an internal document. MSN Explorer used its own rendering layer with settings that differed from the...

IE10 added a security improvement to window.prompt that always shows the calling domain in the dialog's caption bar — replacing the generic "Explorer User Prompt" text that made phishing easy. I...

During the Windows 8 launch period I spent some time looking at the Modern UI Mail app. The findings were documented internally and sent to the team; the details were captured in an archive. This was...

This is a clean, straightforward UXSS. Before a server redirect completes, the parent window can inject a javascript: protocol anchor into the new window's document and click it programmatically. The...

While exploring variations of the embed-based persistence technique, I found a completely different approach using the htmlFile ActiveX object. Creating an htmlFile instance in a new window and...

This one surprised me. By creating a hidden <embed type="text/html"> element in a new window, saving a reference to its internal window object, and then navigating the outer window away, the embed's...

Opening about:Tabs and immediately redirecting it to another URL leaves the display showing the about:Tabs content while the address bar updates correctly. The user sees their real recently closed...

After playing around with RSS feeds framed inside iFrames, I found that loading a feeds XML in an iFrame and then refreshing it via execCommand gave the parent page access to the internally generated...

Loading an .xbap file (XAML Browser Application) from IE causes the browser to hand it off to whatever application handles the .htm extension — which in practice means the user's default browser....

This bug had been sitting around for a long time without a report because on its own it seemed minor. When a modeless dialog is opened from inside an iFrame with a DOM object passed as the second...

In Windows 8 IE10 Metro mode, if the user had a solid color desktop background instead of a wallpaper image, the domain shown in modal and modeless dialog title bars became invisible. The dialog...

After the previous document.all variation, I tried the same threading trick with document.childNodes. A prior bug using this collection had been patched for Win8 RTM, but the Web Worker thread...

This was a variation of a previously patched bug. The original technique of caching document.all across a server redirect had been fixed, but running the access from a Web Worker thread made it work...

This bug only reproduced on the Win7 IE10 build at the time (20120723-2300), not on Win8 RP. The history.replaceState API had trouble keeping the address bar in sync: after replacing the current URL...

I was lucky to find this one — it is surprisingly simple. A fully sandboxed iFrame (with no flags at all, not even allow-scripts) could still break out by triggering a default search query. The...

This one surprised me. A sandboxed iFrame with allow-popups allow-scripts can open a new window which inherits the sandbox. But the new window can call document.write to inject a history.back()...

After playing around with the new IE10 sandbox flags for a while, I found that a sandboxed iFrame with only allow-popups could still set cookies on the parent domain using a <meta...

I found that documents created via document.implementation.createDocument() were supposed to be prevented from loading external content, but several tag types bypassed this restriction. <video>,...

I found that when a sandboxed window or tab crashed, IE automatically reloaded it — but the reload did not re-apply the sandbox flags. This meant that any denial-of-service vulnerability could be...

Since August 2011, internet-zoned pages are not allowed to use the file:// protocol. I found that prepending mhtml: to a file:// URL and loading it twice bypassed that restriction, loading local...

I found that when a sandboxed window received an HTTP 302 redirect to an invalid URL scheme (like badurl:), IE loaded its default error page outside the sandbox constraints. After going Back from the...

I found that opening a new window and setting an onbeforeunload handler that pushed a history state and enabled designMode — just before navigating the window to a cross-origin URL — left the window...

I found that opening a new window, saving a reference to opener in Math, and then enumerating the window object with for..in in a setTimeout just as the server redirect fired caused a crash rated...

I found that a sandboxed window could escape its sandbox by triggering a file download (.zip, .exe, .wmv, etc.) and then calling history.back(). After the back navigation, the page loaded without...

After Win8 Release Preview re-enabled javascript: URLs in sandboxed iframes (having disabled them in Win8 Consumer Preview), I found that Flash's getURL method could reach a named sandboxed window...

I found that loading a cross-origin URL inside a sandboxed iframe and then setting window[0].location to a javascript: URI gave the attacker script execution in the iframe's context with access to...

I found that loading an MHTML file inside a sandboxed iframe using the mhtml: protocol prefix, and then navigating the inner iframe twice to the target URL, bypassed the X-Frame-Options: DENY or...

I found that injecting elements into a window before its server redirect and caching the document.links collection caused a crash when the cached collection was accessed after the redirect, as...

Setting an mhtml: prefix on the current URL via history.pushState and then opening a new window caused a null pointer dereference in KERNELBASE!StrCmpCW during urlmon's redirect security check,...

I found that pushing a redirect URL into an iframe's history with pushState, reloading to complete the redirect, then calling history.back() on the top window left the iframe appearing to belong to...

I found that in IE10 Metro, navigating a fully sandboxed iframe to an MHTML file caused the MHTML content to open in the top window rather than stay contained in the iframe. This bypassed the sandbox...

I found that an evil page could trick touch-screen users who performed the back swipe gesture (moving a finger right to go back) by creating an oversized horizontally-scrollable container with the...

I found that when an iframe used a <meta http-equiv="refresh"> tag to navigate itself to about:blank, the resulting about:blank inherited the domain of the parent page rather than the iframe's own...

In IE10 Metro, navigating to a new URL briefly showed the address bar so the user could see where they were going. I found that using location.reload() with a server-side redirect to a different URL...

I found that an onunload handler could replace the page's content and then freeze the browser thread using a synchronous XMLHttpRequest to a never-responding server endpoint. This left the address...

I found another variant of the document.all caching technique, this time using window.open rather than a modeless dialog. Saving a reference to document.all from a newly opened window before its...

I found that msSetPointerCapture combined with setCapture inside an iframe continued delivering pointer events — including mouse coordinates and click events — even when the user's pointer was...

Calling msSetPointerCapture on an element and then destroying that element via outerHTML = '' caused a crash when the user moused over any scrollbar afterward. The fault occurred in...

Appending a script element with innerText set to a value into a document created via document.implementation.createHTMLDocument("") caused a crash in...

I found that using history.replaceState to point the current history entry at a redirect URL, then calling location.reload(), caused IE10 to load the redirect target while preserving the original...

I found that using history.pushState to inject a redirect URL into the navigation history, followed by history.go(0) to reload, caused IE10 to render the redirect target using the previous page's...

I found that repeatedly reloading a Flash object via innerHTML in a tight onkeypress loop caused a crash in Flash11f rated PROBABLY_EXPLOITABLE. Each keypress replaced the DOM with a new Flash object...

I found that pushing a server-redirect URL pointing at blob: into the history stack with history.pushState, then reloading with history.go(0), caused a crash rated EXPLOITABLE in...

I found that blob URLs created by the parent page could be sent to a sandboxed iframe via postMessage, and the sandboxed iframe could load them as image sources and even read the pixel data via...

I found that creating a blob with HTML content that referenced an HTC behavior (style="behavior:url(1)") and then navigating to it via a server redirect caused a crash in...

Passing "blob:" as the URL to showModalDialog() opened an invisible modal window — one that was present but not rendered — making the entire browser unusable until the process was killed.

Building on the blob-redirect technique, I found that using an invalid content type string (like "INVALID") when creating the blob caused a crash rated PROBABLY_EXPLOITABLE when the server redirected...

Blob URLs were not supposed to be usable as iframe src or browser navigation targets — they were intended only for images, scripts, CSS, and workers. I found that this restriction could be bypassed...

I found that if window.open("javascript:1", "_self") was called inside an iframe while an error notification dialog was pending — and the parent simultaneously destroyed that iframe — IE10 crashed...

I found that setting document.designMode = "Off" inside an iframe before a server redirect triggered a convenient reload, and that ActiveXObject("Microsoft.XMLHTTP") created during that window...

I found that if a cross-origin redirecting iframe used createPopup().document.write() on the parent, the resulting popup's URL became that of the iframe's post-redirect origin. Since the popup's...

I found two related issues in how modal/modeless dialogs handled returnValue and the external object across cross-origin redirects. The first allowed cooperative cross-origin sharing — the opener...

I noticed that saving a reference to document.all from inside a modeless dialog, before the dialog's page redirected to a different origin, preserved cross-origin access to the redirected document....

I found that a window reference stored inside a native JavaScript object like Math survived a cross-origin server redirect. The key insight was that storing a reference in a plain variable did not...

Creating an htmlFile ActiveX object, refreshing its document, and then triggering a document.open(); document.close() pair via an injected image error handler inside a setTimeout caused a crash rated...

Injecting an iframe that immediately redirected, and then calling a non-existent method inside that iframe via execScript after the redirect completed, caused a stack buffer overrun...

By capturing an XMLHttpRequest object from a newly opened window before the window redirected to a different domain, the cached XHR reference retained the ability to make requests in the context of...

Opening a new window that would soon redirect, injecting an iframe into it, creating a createPopup from that iframe, and then calling setInterval from the popup's window caused a crash after the...

IE10's URL.createObjectURL() generated Blob URLs with insufficient randomness. Image blob URLs were readable by any domain in the same window — including cross-origin iframes. The only protection was...

Creating a Blob URL in the main page and then spawning a Web Worker that sent an XHR to any blob URL — even just "blob:" — caused IE10 to crash.

Calling document.normalize() on a complex DOM in IE10 Preview 4 caused a crash. The crash was found while a W3C spec page loaded and called the method as part of its own script.

When loading an XBAP file, IE requests it twice: once to verify the MIME type and once as an argument to PresentationHost.exe. If the server returns a different content type on the second request,...

Opening a new window that loaded non-HTML content (feeds, Flash, XAML, etc.) and immediately setting designMode on its document caused a crash — reliably on IE9 and intermittently on IE10.

This finding built on an existing technique for escaping Low Rights IE (LoRIE) by abusing vsjitdebugger.exe — the Visual Studio just-in-time debugger — which accepts a binary path as a command-line...

The IE10 sandbox could be applied not just through the sandbox HTML attribute but also via the X-Content-Security-Policy HTTP header. This bypass worked by capturing the new window's document object...

Loading a Flash file from a different domain inside an iframe — where the Flash called GetURL with a javascript: target — and then reloading the main page twice caused an exploitable crash in IE8....

The security="restricted" attribute on an iframe is meant to prevent script execution inside it. But if a link inside the restricted frame opens a new window, and that new window calls...

Setting document.designMode = "On" from inside an HTC behavior file caused IE10 to crash.

This technique allowed spoofing the address bar of any website that had at least one iframe. By opening the target site in a new window, hijacking one of its iframes using Flash's GetURL to point it...

Opening and closing the document from a textarea's onkeypress event caused IE10 to crash on the first keystroke.

This was an interesting multi-step sandbox escape. A sandboxed iframe opened a new window, navigated it through a chain that included loading non-renderable content (RSS feed, SWF, MHT, ZIP, etc.),...

With both allow-scripts and ms-allow-popups set, a sandboxed iframe could open a new window and then use that window's opener.parent.location to execute JavaScript in the parent's context —...

When an iframe was sandboxed with allow-scripts and allow-top-navigation, assigning a javascript: URL to parent.location was permitted — executing code in the parent's context. Interestingly,...

Calling window.scroll, scrollBy, or scrollTo using .call() with a different frame's window as the context caused IE10 to crash with a classification of PROBABLY_EXPLOITABLE.

Combining an AppCache manifest with a fallback entry and a meta-refresh tag caused IE10 to crash after a few reloads.

The history.pushState API in IE10 Preview 3 did not always refresh the address bar correctly when navigating back and forth. By pushing a redirect URL into the history and immediately reloading, the...

A sandboxed iframe with only allow-scripts is not supposed to be able to change its parent's URL. But any of the history navigation methods — history.back(), history.forward(), history.go() — could...

This one surprised me. By injecting an iframe into a newly opened window before it redirected to the target site, and then creating a createPopup from that injected frame, I could attach a keylogger...

When a createPopup call was blocked because the tab did not have focus, the Infobar that appeared to notify the user showed the local machine name instead of the URL of the page that triggered the...

Rendering a Flash (or Silverlight) object inside an iframe's createPopup and then navigating that iframe while the popup was still visible caused IE9 to crash.

During a focused review of Silverlight 5, I came across several interesting issues spanning denial of service, elevation of privilege, cross-origin access, and an unusual persistence technique. These...

After a patch was issued for a createPopup security issue (MSRC 11355), I found a way to recreate the same effect by taking advantage of a timing window. When an iframe is destroyed by replacing its...

After loading, a sandboxed iframe with only allow-scripts could inject a Flash object that used the ActionScript GetURL method to execute JavaScript in the parent window. The Flash call was...

A sandboxed iframe restricted to only allow-scripts could open a fully unsandboxed window by inserting a Windows Media Player ActiveX object and calling its launchURL method. The new window opened...

A sandboxed iframe with only allow-scripts set could bypass restrictions on cookie access and same-domain content reads by creating a new document object through...

Assigning a CSS behavior (.htc file) to an element in a document created with document.implementation.createHTMLDocument crashed the browser.

This was a variation of an earlier internal dialog elevation bug that still worked after the initial patch. By overriding removeAttribute on an element before calling...

This is a VBScript variant of a technique I explored with JavaScript errors. When a cross-origin iframe calls execScript with a VBScript block that attempts to access the parent window, the resulting...

The XSS filter in IE correctly blocks a reflected XSS attempt when it can see that the referrer matches the attacker's origin. This bypass exploited a subtle behavior: when a main page is reloaded,...

This set of test cases explored whether content from a cross-origin iframe could be dragged and dropped into an editable element in the parent page. The baseline case showed that dragging XML content...

This was a lucky strike — the crash stumbled upon me while I was testing something else entirely. Dragging text out of an <input> or <textarea> element inside an XML file caused IE10 Preview 2 to...

Similar to the window.open.call(parent) technique I found earlier, this variation used the navigate method with a javascript: URL called on behalf of the parent to execute arbitrary code in the...

Even with only allow-scripts enabled and all other sandbox flags absent, a sandboxed iframe could break out of all restrictions by injecting an HTML <object> element with type="text/html" after the...

A sandboxed iframe with only allow-scripts set is supposed to be unable to load or read same-domain content — XMLHttpRequest is correctly blocked. But the old IE-specific <xml> island element, when...

I was lucky to find this one. A fully sandboxed iframe — no flags at all — could execute JavaScript in the parent window simply by embedding an SVG file with a javascript: xlink targeting _parent....

While looking at the IE10 sandbox flags, I found two ways to open new windows from a sandboxed iframe even when ms-allow-popups was not set. Both techniques worked even across origins, which made...

The W3C spec requires Web Workers to be same-origin, and IE10 Preview 2 enforced that correctly — until I tried using a server-side redirect. A worker created from a same-origin URL that immediately...

This one surprised me. By embedding an MHT file that forced a lower document mode (IE7 emulation) and then placing a cross-origin iframe inside it, I found that errors triggered when the inner frame...

After playing around with the IE10 sandbox for a while, I noticed that a fully sandboxed iframe could be used as a stepping stone to access the parent DOM through a modeless dialog. The trick was to...

The security="restricted" attribute on an iFrame is supposed to prevent any script execution inside it. I found that loading an XML document with an external XSL stylesheet inside such a restricted...

I was exploring whether the cached-object pattern that worked with Flash and iframe Document references also applied to Silverlight plugin objects. It did, and with an interesting twist: caching the...

The X-Frame-Options header is supposed to prevent a page from being embedded in an iFrame on another domain. I found that loading XML content inside an iFrame and referencing the protected URL as the...

This crash involved HTC (HTML Component) files and their cached document objects. By saving a reference to an HTC document, changing the behavior URL to destroy the cached document, and then...

This one was interesting to put together. The idea is to disguise a cross-origin drag-and-drop data capture as a fun basketball game. A transparent textarea sits over the game area, and when the user...

This was a novel history-sniffing technique that used the clipboard rather than CSS color measurements. When you select part of a hyperlink's text and paste it back onto itself inside a visited link,...

This UXSS worked by saving a reference to the ActiveXObject constructor inside an iFrame before it redirected to a target domain, and then using that cached constructor after the redirect to create...

This is what I would call a cooperative or pseudo-UXSS: both parties need to be set up for it to work, so it requires the attacker to control at least part of the modal dialog's content. The...

Another variation on the cached-reference UXSS theme. This time the object that survives navigation is a plain DOM element created with createElement. After inserting the element into the window's...

After discovering that persistent createPopup windows survive navigation, I found that trying to resize one manually would crash the browser. The popup shown before the redirect has resize handles...

By opening a modeless dialog from within an IFrame, saving a pointer back to the IFrame, and then reloading the main window (which destroyed the IFrame), the modeless dialog could create a...

Building on the earlier resident-popup findings, I put together a demonstration showing that a createPopup created before a redirect can capture keystrokes typed into the redirected page. The popup...

This crash was surprisingly compact. Creating an htmlFile ActiveXObject, initializing its Trident with open()/close(), executing a Refresh command, and then immediately deleting the reference caused...

This was an exploitable crash triggered by a user style sheet interaction with a SELECT element. Simply expanding a dropdown SELECT widget on a page that had a particular style sheet applied would...

This crash required an unusual setup: the Windows Media Player control in an iFrame on a different domain from the top window, calling launchURL repeatedly in a way that would always fail to...

The Windows Media Player ActiveX control had two ways to open a URL that both bypassed IE's popup blocker: a scriptcommand embedded inside a WMV file, and the launchURL method called directly from...

This is a variant of the cached-object redirect pattern. Instead of caching a collection like styleSheets, I saved a reference to a createPopup document object before the containing window redirected...

This UXSS relied on the fact that certain live collections returned by the DOM — specifically document.styleSheets and document.selection — remain valid and readable after the window they came from...

This was a simple interaction between Object.defineProperty and IE's context-menu Properties dialog. Redefining documentElement on an iFrame's document via a getter, and then asking IE to show the...

This was a creative path to code execution. IE's internal InsertImage dialog (invoked via document.execCommand("InsertImage", ...)) uses removeAttribute on image elements to clean up after itself. By...

This was a UI containment issue. A createPopup created from inside an HTML frame embedded in a XAML document is not constrained to the browser window — it can be sized to cover the entire screen....

Timing was the critical element here. By saving a reference to window inside an iFrame, immediately navigating the iFrame away, and then calling a method on the saved reference inside a try/catch,...

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

This one surprised me quite a bit. A createPopup window that has been shown can outlive the browser itself. If the user closes IE while a modal-style alert from the popup is still open, the popup and...

This UXSS relied on an interesting property of createPopup: if the popup is shown (even at size 0×0) and its eval is called via setTimeout inside an iFrame, the popup stays alive across navigation....

This was a UI spoofing issue with IE's popup-blocked InfoBar. When a popup is blocked, the InfoBar shows the URL that was blocked. By using Navigate2 through an iFrame acting as a WebBrowser control,...

I was looking at the external object's less-travelled methods and found that NavigateAndFind with a non-empty third argument opens a new window pointing at any file:// URL — without any popup blocker...

This one involved a combination of a functionality regression in IE9 and a security bug. When the previous page in a tab was rendered in document mode 8 or lower, certain cross-frame operations that...

This was a concise one. Calling parent.document.open() from inside an iFrame and then immediately executing any JavaScript instruction caused the browser to crash. The instruction after the...

This was a behavioral quirk that Patrick Mann asked me to look into. When an iFrame's location is changed via window[0].location.replace() and the page is then refreshed, IE correctly honours the...

This crash required a race condition: open a new window, have it close itself immediately via a script, and then try to call a method on the returned window reference before the engine has finished...

I found this while experimenting with self-referential DOM mutations. If an iFrame uses execScript to call innerHTML on its own containing element in the parent, it destroys itself mid-execution,...

This one took me by surprise. Rapidly alternating an iFrame between an RSS/Atom feed URL and a regular HTML page caused an exploitable crash after just a few iterations. The key insight was combining...

I was exploring what setCapture could do across tab boundaries and found that it was surprisingly permissive. A page in one tab can capture all mouse clicks — even those made in a completely...

After playing around for a while with timing-based crash patterns, I found that calling document.open() on the main window while a dialog was freezing it produced an exploitable DEP violation. The...

This one surprised me. It turns out that alerts thrown inside an onunload handler are displayed in whatever tab gains focus after the originating tab closes — so the dialog appears to come from an...

This was a fairly simple crash to stumble onto. Calling document.open() on a freshly created Trident instance — either a new blank window or an htmlFile ActiveXObject — would reliably take the...

I was lucky to find this one early in my IE9 research. The idea is straightforward: open a new window that will redirect to a target domain, and simultaneously schedule a setTimeout against that...

After playing around with cross-frame script execution in IE9, I noticed that calling eval from inside an iFrame and then executing any document method on the parent would reliably crash the browser....

Another entry in the deadcall collection. Creating a DocumentFragment from an IFrame, reloading the IFrame (destroying the fragment's backing context), and then calling...

This was the first entry in what I called the "deadcall" collection — a series of crashes where Function.call (and equivalently bind and apply) was used to execute a method of one object on behalf of...

A deadcall crash using DOM Range objects: creating a range from an IFrame, reloading the IFrame, and then calling cloneRange() from a live range on behalf of the dead one caused a crash in...

A deadcall crash involving selection ranges: obtaining a range from an IFrame's selection, reloading the IFrame to destroy the range's context, and calling toString() from a live range on behalf of...

A non-crashing deadcall: caching the location object of an IFrame via valueOf(), letting the user navigate wherever they wished, and then calling location.toString.call(cachedLocation) revealed the...

IE8 blocked prompt() and VBScript's InputBox when called without user interaction, similar to the window.open() popup blocker. IE9 did not apply those restrictions, allowing a page to open...

By overriding Location.prototype.replace on the top-level window, an attacker page could intercept any call to location.replace() made by a framed page — including the common frame-breaking pattern...

Opening a blank window and then navigating it to a real URL caused a crash in the VMware SVGA 3D driver (vm3dum.dll) when IE9 was running inside a VMware virtual machine. The IE WebGraphics team...

This was an incomplete attempt at a drag-and-drop UXSS technique. The idea was to trick a user into dragging selected text from a cross-origin IFrame into an attacker-controlled drop target, leaking...

Enumerating the properties of a reference to an HTML Object element that hosted non-HTML content (XAML, XPS, PDF, etc.) via a for...in loop caused a crash in IE9's JScript9 engine. The crash occurred...

Gareth Heyes discovered that comparing the screenTop property before and after triggering a potential XSS could reveal whether the IE XSS filter had activated and shown its yellow InfoBar. When the...

Deliberately causing an error inside a cross-origin IFrame and catching the exception gave access to the exception object's constructor chain, which led to the Function constructor of the IFrame's...

Properties set on an IFrame's window object during its onunload event persisted after the IFrame navigated to a different origin. Setting onload in onunload was particularly convenient because the...

Combining the IFrame resurrection technique with a createPopup() that attached a keypress event handler made it possible to capture all keystrokes typed anywhere in the browser, even after the...

Calling location.replace() with a javascript: URL on a cross-origin IFrame executed the script in the IFrame's security context. The replace method did not apply the same javascript: protocol block...

The IE9 InfoBar (the yellow notification bar at the top of the content area) could be overlaid by a createPopup() positioned to cover it exactly. This allowed an attacker page to hide security...

When an IFrame loaded an XML feed or other non-HTML content, accessing its document from an inline event handler bypassed the same-origin check that protected it from script in regular functions....

Calling document.open() on a freshly created popup document caused a PROBABLY_EXPLOITABLE crash in IE9. The popup document was not in a state that supported being re-opened, and the open() call...

The location object in IE9 could be called as a function. When called this way with a javascript: URL, it executed the script in the IFrame's context, bypassing the normal javascript: protocol...

Another variant of the cached-collection UXSS family: document.childNodes from a same-origin IFrame remained live after a cross-origin redirect, and its nodes' ownerDocument pointed into the new...

By defining a setter on window.location using Object.defineProperty, an attacker page could intercept the moment a framed page tried to break out of its frame (a common frame-breaking pattern). At...

When an IFrame loaded non-HTML content (such as a .mht MHTML file), accessing its document property was normally blocked. However, doing so from an inline event handler on a button — rather than from...

Caching the location object of a same-origin IFrame, redirecting it cross-origin, and then calling .replace.constructor() on the cached location object gave access to the Function constructor of the...

Two related techniques for reading cross-origin document content in IE9. The first overrode a method on a cross-origin IFrame's window before the victim page called it; the second obtained a live...

By intercepting a property access that IE's own internal code triggered during a document.execCommand call, and using arguments.callee.caller.constructor to obtain the native Function constructor, it...

Focusing a cross-origin IFrame and then calling document.execCommand from the parent page allowed injecting arbitrary HTML attributes into the IFrame's content via the InsertImage command. The...

Caching a reference to document.getElementById from an IFrame, reloading the IFrame, and then calling .constructor() on the cached method caused a PROBABLY_EXPLOITABLE crash. The method reference...

Accessing window[0].self on a cross-origin IFrame returned a window reference that bypassed same-origin checks, allowing the attacker page to read the IFrame's document URL and body content directly.

The IE9 XSS filter used the HTTP Referer header to determine whether a reflected script came from the same page, and only blocked scripts that appeared to have been injected from outside. By...

Writing a <script language="xml"> tag into an IFrame's document caused IE9 to crash with a PROBABLY_EXPLOITABLE rating. The XML script language type was an obscure IE-specific feature, and its...

Parsing an SVG document via DOMParser and then accessing the viewport property on the root SVG element caused a crash in IE9. The DOMParser-created document was not a fully initialized rendering...

Repeatedly calling document.write(1) on a freshly created popup via setInterval caused IE9 to crash. The first call worked; the interval kept creating new popups and writing to them, eventually...

Calling dialogArguments.window in a tight loop from within a modeless dialog caused IE9 to crash with a PROBABLY_EXPLOITABLE rating. The dialogArguments object exposed the opener window, and repeated...

An <audio> tag with the autoplay attribute inserted via insertAdjacentHTML continued playing audio even after the page navigated away. The audio element was not torn down with the rest of the...

IE9's InfoBar (the yellow notification bar) was supposed to show the domain of the page that triggered a blocked popup. By calling window.open() eleven or more times, the InfoBar's domain cache...

One of the more direct UXSS patterns: caching the window property of a same-origin IFrame and then redirecting the IFrame cross-origin left a live window reference that could read the new document's...

Storing a window method as an element inside a native JScript Array object, then reloading the IFrame that owned the window, and finally calling the cached method through the array caused a crash in...

Setting a built-in window method to null and then calling it inside a modeless dialog caused a crash in IE. The engine did not validate that a method was still callable before dispatching through the...

Opening a modeless dialog and then accessing the onmessage property of the opener window from within the dialog's script context caused a crash in IE9.

The htmlFile ActiveX object creates a hidden in-process HTML document. By having an IFrame write to it, reloading it twice in quick succession, and then reading its body, I was able to access content...

Caching the window reference of an IFrame, calling execScript on it to prime the scripting engine, and then destroying the IFrame's DOM node before calling location.reload() on the cached window...

The IE9 XSS filter blocked reflected <script> tags, but it did not account for the defer attribute. A <script defer> tag containing the injected payload was not matched by the filter's pattern,...

Caching the document object from an IFrame and then destroying the IFrame via outerHTML replacement left a dangling document reference. Writing to the body of that stale document caused an access...

Another of the three crashes found on 2010-05-17. Caching a Range object obtained via getSelection().getRangeAt(0) from an IFrame and then reloading that IFrame left a range pointing into freed...

The third crash from 2010-05-17 was the simplest of the batch. An HTML file containing only a bare <svg> tag with the XML namespace declaration was enough to crash the IE9 beta.

A variant of the cached-collection UXSS: caching a reference to a constructor function (Image, Option, XMLHttpRequest) from a same-origin IFrame, then redirecting the IFrame cross-origin, left a...

Two document.execCommand variants could be used to inject content or create links in the context of a cross-origin IFrame. The InsertImage variant worked by placing a contentEditable IFrame on an...

Silverlight's enableHtmlAccess parameter was intended to allow a trusted Silverlight application to interact with its hosting HTML page. When set to true for a cross-origin .xap file, it effectively...

IE had a registry-based feature control, FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE, that was supposed to prevent certain WebOC navigation abuses. When PresentationHost.exe (the Silverlight host) was not...

This was a remote code execution finding in a SharePoint component that exposed the WebBrowser control (WebOC) to web content via a CFD (Client-side Framework for DHTML) integration. The Navigate2...

A follow-up to the earlier 60 MB view-source crash, this time with a 70 MB buffer to confirm the issue was reproducible and to test whether the increased size changed the crash characteristics.

A Perl script generated an HTML file with a 60 MB junk buffer inside an HTML comment. Opening this file normally worked fine, but choosing "View Source" caused an access violation in IE that...

By overriding a method on a same-origin IFrame's window before redirecting it to another domain, I could inject a function that would fire in the new cross-origin context when the method was...

While testing Silverlight in Chrome 4.0.249.78, I stumbled across four Chrome-specific issues that were unrelated to Silverlight itself. They are a good reminder that security testing one component...

Caching a reference to document.all from a same-origin IFrame before redirecting it to a different domain left a live collection object that still pointed into the new document's DOM. Accessing...

This was an address bar spoofing technique that worked by intercepting the page's own unload event, stopping the navigation, and immediately reloading with modified content. The result was a page...

By attaching a behavior:url(...) to a <link> element pointing at a file:// URL and counting the number of scripting errors thrown, a page could determine whether a specific file existed on the local...

MHTML (MIME HTML) files can contain multiple parts in a single response, similar to a multipart email. I found that loading an MHTML file in an IFrame and then enumerating the IFrame window's...

Similar in spirit to the Flash IFrame residency bug from a few weeks earlier, this one used an HTML Object element instead. By saving a pointer to a member on the object's window before destroying...

A Flash movie loaded inside an HTML Object element (rather than directly embedded) could use getURL with a javascript: URL and have that script execute in the context of the parent page, not the...

IE was supposed to mask the real file system path when a user selected a file via <input type="file">, substituting C:\fakepath\filename. I found that selecting the text in the input element and then...

Creating a popup from inside an IFrame, then navigating that IFrame away while the popup was still visible, left an orphaned popup window. Manually resizing it afterward triggered an access violation...

This entry contained two distinct crashes involving createPopup() and page lifecycle events. Both exploited the fact that hiding or focusing a popup at exactly the wrong moment during navigation...

This was a demonstration prepared for a colleague, Spencer Low, showing how an attacker could overlay a transparent IFrame over a trusted page and capture clicks intended for it. The victim site was...

A straightforward pattern that turned out to be surprisingly reliable: cache a reference to an IFrame's window, destroy the IFrame by replacing its HTML, then call any window method through the...

HTC (HTML Component) behaviors in IE gave elements a secondary document context. I found that if an opener window held a reference to an HTC element's document and then reloaded that document,...

This was an EXPLOITABLE-rated crash in IE8. An HTML Object element contained an inner document with its own IFrame, and caching a reference to the nested window's open method before destroying the...

While poking at how IE handled documents inside Flash-embedded iFrames, I noticed that grabbing a pointer to the document before navigating away kept some very lively references around. Setting a...

Saving a pointer to the Document of an iframe that contains a Flash file, and then closing the window that hosted it, crashes IE7 and IE8 in Protected Mode. The crash lands in Flash itself...

A penetration test of Silverlight 4 uncovered a cluster of serious issues in the WebBrowser control (WebOC) that Silverlight exposed to web content. These ranged from cross-origin script injection to...

A collection of proof-of-concept findings from the first Silverlight 4 security assessment. The compiled SL4_PoCs.xap contains the Silverlight-side code; the HTML files demonstrate three distinct...

The IE Feeds WebBrowser control generates a nested iframe when rendering feed content. The open method of that inner iframe is not properly sandboxed — it can load local files. Calling...

Loading a non-HTML file (XML feeds, XAML, XPS, SWF, etc.) inside an iframe that lives inside an OBJECT element inside a createPopup() popup, and then navigating that iframe via window.open, crashes...

Loading a binary file (exe, zip, etc.) inside an OBJECT element and then reloading its contents via parentWindow.location.reload() crashes IE8 with a PROBABLY_EXPLOITABLE write near NULL in...

Loading a XAML file that contains an iframe pointing to another XAML file causes a crash in the WPF rendering pipeline.

Loading feeds XML in an iframe causes IE to render it in a special WebBrowser control. Clicking a feed title loads a regular HTML page inside that WebBrowser. Saving a reference to window.open from...

A security assessment of WPF 4 Beta 2 browser-hosted applications. The findings are archived in the wpf4_pentest.zip file. This was part of ongoing XBAP/WPF security work during the WPF 4 pre-release...

The pop-up blocker normally allows exactly one window per user interaction. This bypass opens multiple windows from a single click by: (1) freezing the original click event using a modal dialog, and...

Loading an HTML page inside a XAML Frame element (which IE wraps in an auto-generated OBJECT tag), then destroying that OBJECT tag while keeping the inner HTML page alive, allows the script in the...

Loading an RSS/Atom feed inside an iframe and pressing F12 to open IE8 Developer Tools triggers an access violation in iedvtool!CDOMNodeContainer::LoadChildDocument+0x178. The crash reads from...

The WMPlayer.ocx ActiveX object's network.sourceProtocol property reveals whether a local file path exists and is loadable. Setting wmp.URL to a local path and checking sourceProtocol after a short...

While exploring the frozen-event technique, I discovered that IE fires undocumented event types when certain dialogs open. The event object during an alert() has type "showmessage" and exposes...

Any page can change IE's optical zoom level — and the setting persists across restarts — using ExecWB with OLECMDID_OPTICAL_ZOOM. This can be done from inside an iframe and affects every new tab and...

When an iframe shows a context menu or modal dialog, it freezes — and the event that caused the freeze is also frozen. At that exact moment, the cached event object of the parent window gets replaced...

A collection of findings from a security assessment of WPF browser-hosted applications (XBAP). Four distinct issues were identified across DoS, crash, and UXSS categories.

Accessing the CallMethod function on the Silverlight bridge object without arguments or in an unexpected state raises an uncaught exception that crashes the browser.

Setting an invalid URL in event.dataTransfer.setData("URL", ...) during a drag operation crashes IE. The !exploitable analyzer rated this EXPLOITABLE — EIP is changed, and the DEP access violation...

A local HTML file carrying a Mark-of-the-Web (MotW) comment runs in the Internet Zone rather than the Local Machine Zone. Flash files embedded in that page inherit the Internet Zone context, and...

A WPF XBAP (browser-hosted application) running in Internet Explorer could access the system clipboard when it should not have been able to. The compiled clipboard_hijacker.xbap demonstrates reading...

A WPF XAML Hyperlink element with a TargetName can navigate an iframe by name — including iframes belonging to other domains — bypassing the "Allow subframes to navigate across different domains"...

The launchURL method of the Windows Media Player 12 ActiveX object bypasses IE's pop-up blocker on Windows 7. The same method with WMP 11 on XP/Vista did not reproduce, suggesting a regression...

Saving a reference to an iframe's open method in an external popup window, then reloading the main page (destroying the iframe), leaves the cached open callable. Calling it with "about:blank" and...

Saving a reference to an iframe's Image constructor, reloading the iframe (which destroys the original context), and then calling new cachedImage() from the parent crashes IE8 with a...

Caching a reference to an iframe's execScript method, navigating the iframe to a cross-origin page, and then invoking the cached method via Silverlight's ScriptObject.CallMethod bypasses the...

Destroying the Silverlight control (via outerHTML replacement) while the Silverlight update modal dialog is open crashes the browser regardless of how the dialog is closed afterward.

Destroying the Silverlight OBJECT element via outerHTML while the install dialog is present (and the main thread is frozen) crashes the browser. The onMainThreadFrozen helper detects when the main...

Changing the Source property of the Silverlight object when the OnFullScreenChanged event fires crashes the browser. The new source value does not matter — even an empty string is sufficient.

Using the SplashScreenSource parameter with the same .xap file as the source parameter in a Silverlight 3 control triggers a null pointer dereference on load.

Flash's getURL method can navigate frames by name, including frames that belong to other domains. By assigning a name to a cross-origin iframe through JavaScript (which was apparently allowed at the...

Loading a XAML file that uses the insertObject mechanism while an empty iframe is present triggers a crash in IE8.

The IE8 XSS filter skips its checks when the request's referrer is the same domain as the target URL. By injecting a link in the first request that points back to the same vulnerable endpoint — with...

Creating an <object type="text/html"> element with createElement and then storing a reference to that element inside its own document's window keeps the element alive indefinitely — even after the...

IE8's Object.defineProperty can override members that IE's own internal dialogs access on the page's document. When the Print Preview dialog reads document.documentElement, our getter fires — and...

This builds on the delayed-redirect variable injection (entry #23) by using Object.defineProperty to install a getter accessor on a cross-origin window's document object. The accessor persists...

Opening a new window to a same-domain page that performs a server-side redirect to a different domain leaves a window of time during which JavaScript variables set on the new window persist — even...

Setting any property on the prototype of any HTML element type causes IE8 to crash when the File → Properties dialog is opened. The crash can be triggered without user interaction by using ExecWB to...

A script running inside an htmlFile ActiveX document can be made resident simply by storing a reference to the htmlFile object inside its own window. This creates a circular reference that prevents...

A setInterval placed inside a XAML Frame element (loaded via a WebSlice) keeps running even after the WebSlice is closed, because the PresentationHost.exe process remains resident in memory. The...

Loading a page with an X-Frame-Options header inside an iframe and triggering a reload crashes IE8.

Navigating an iframe's location to a page with an X-Frame-Options header via script crashes IE.

Two denial-of-service conditions in IE7 and IE8 triggered through the htmlFile ActiveX object.

This builds on the offsetParent UXSS (entry #16) to reach the res://ieframe.dll zone. Once inside that zone, two things become possible: spoofing the address bar using dnserror.htm#arbitrary-url, and...

I was lucky to find this one. A page with a !DOCTYPE declaration exposes document.all[0] as the DOCTYPE node, and that node's offsetParent is the hosting iframe element — even when that iframe...

Windows Desktop Search opened HTML result pages in a context where navigating location to a local executable path would launch that executable. The fix required restricting the zone or navigation...

This was an early version of a cross-origin technique later superseded by entry #16. The approach loads a non-HTML file (feeds XML, MHT, SWF, XAML, etc.) into an iframe nested inside a cross-origin...

Two approaches bypassed the X-Frame-Options: DENY header in IE8. The first uses a XAML Frame element as the embedding container; the second delays the insertion of an HTML OBJECT element via...

This is the IE8 variation of the _unspecifiedFrame About dialog attack. The IE7 version used a direct window.open to hijack the frame; IE8 blocked that approach, so the method switches to Windows...

While revisiting the cached window.open technique, I found that invoking the stale method twice in quick succession — after it had already been used to navigate the ghost iframe — was enough to crash...

These are two variations of a heap spray technique, exploring different data-binding sources in place of the original XML island. Both bind an iframe's src through the datasrc/datafld mechanism, with...

Loading a feeds-formatted XML file inside an iframe, then overwriting its contents with another iframe via innerHTML, and finally clicking inside the new inner iframe crashes IE8.

This entry is a variation of WinOOB 1053535, archived as a compressed proof-of-concept. The reproduction steps and source were preserved in the zip file rather than as standalone HTML. The core issue...

Calling ExecWB with OLECMDID_GETZOOMRANGE without the required fourth argument (a pointer) crashes IE7.

This one surprised me with how simple the entry point was. IE's About dialog opens a link in a window named _unspecifiedFrame. If an attacker pre-registers that window name, the About dialog's...

A close companion to the InsertImage finding, this one uses the CreateLink execCommand. By placing the focus in a cross-origin iframe and then invoking the command from a same-domain hidden iframe,...

IE's internal dialogs (Find, Print Preview, Properties, etc.) interact with the page's document object — and since JavaScript can override that object and its members, those dialogs end up calling...

This one surprised me. The document.execCommand('InsertImage', true) call, when triggered from an iframe on a different origin, ends up inserting content into the parent document rather than the...

After playing around for a while with non-HTML content in iframes, I noticed that when IE instantiates a WebBrowser control to render something like a Flash file, that WBControl ends up as an...

This one took some time to get right. The trick is keeping a script alive even after the main page navigates away, by caching an execScript reference from an iframe — but the catch is that the cache...

A short one. While exploring what Flash's getURL method would accept as a target, I found that embedding a url:file:/// scheme inside the redirect string caused IE8 to handle the navigation in an...

This was a variation on the earlier IE8 XSS filter bypass, this time using a <meta http-equiv="refresh"> redirect instead of navigating an inner iframe's location property. The filter checked whether...

These proof-of-concepts were written to be pasted into the LiveLabs sandbox environment (an internal IE testing harness at http://131.107.155.233/Samples/genericSample.aspx). The sandbox was supposed...

While testing variations of another bug on IE8, I found two separate crash paths involving window.createPopup() and deferred scripts. Both were straightforward to trigger and required no user...

A quick one. Writing a Flash <object> or <embed> tag into the DOM via innerHTML during the ONKEYPRESS event would crash IE7 if the key was pressed quickly enough — typically two or three rapid...

This was a variation on an MSXML cross-domain scripting bug (MSRC 7930) originally found by Gregory Fleischer, who used XML parameter entities in a DTD to exfiltrate content from a remote URL into a...

A straightforward crash: if any JavaScript prototype was modified — even just adding an arbitrary property like HTMLDivElement.prototype.ANYTHING = 777 — and then the browser's Properties dialog was...

IE8 introduced a "Compatibility View" button in the address bar. I found that when this button was clicked on a page that then performed a redirect to a page without a Content-Type header or DOCTYPE,...

IE8 introduced a built-in XSS filter that was supposed to detect reflected XSS attempts and neutralize them. After playing around for a while, I found a bypass: if the XSS payload was delivered not...

After the url:file:/// trick was patched in an earlier fix, I tried some simple variations to see whether the fix was complete. It turned out that inserting any extra characters between url and the...

This folder contains research materials from a Silverlight 2 Beta security review, including a detailed penetration testing document (Silverlight PenTest.docx) and four proof-of-concept archives...

This was a variation of the resident script technique adapted for IE8, where the previous iframe-based approaches had been patched. After playing around for a while, I found that you could cache the...

The 6on6 folder was a small personal tool — an HTML page backed by an #default#homePage behavior and userData persistence — that I used to track and quickly test browser security issues. The...

This folder contains a research document (postMessage penTest.docx) covering security considerations around the window.postMessage API, which was relatively new at the time. The notes explored...

Three separate XHR oddities I found while exploring how Internet Explorer's Microsoft.XMLHTTP ActiveX object handled unusual situations. None of them alone was a dramatic vulnerability, but together...

This folder contains a proof-of-concept for a cross-site scripting vulnerability found in a banking application. The details are archived in XSS_BOA.zip. The finding was part of broader research into...

This was a combination of two separate issues working together. First: IE accepted url:file:// as a valid iframe source, which loaded local files into an iframe from an internet-zone page. Second: a...

After the IE resident script work, I was curious whether the same class of issues appeared in Safari. It turned out that Safari had its own onunload quirk: during the unload event, you could call...

These are the proof-of-concept files I prepared for a BlueHat presentation. They cover four related techniques built around the idea of a "resident script" — JavaScript that survives a full page...

This folder contains evidence of a resident script technique discovered independently around the same time, using XML as the persistence vector rather than the HTML/iframe approach explored in other...

The Windows Media Player ActiveX control exposed a launchURL method that could open a new browser window without triggering the pop-up blocker. The method was intended to let the media player open...

A very clean residency technique: creating an OBJECT TYPE="text/html" element via document.createElement and storing it in window.opener keeps the referenced document alive and running after the page...

Another brief one from the same Silverlight testing session. Passing the userControl object from the onLoad event into IE's Enumerator constructor would crash the browser immediately. The crash was...

This one surprised me. IE's popup blocker is supposed to block window.open() calls that don't originate from a direct user gesture. The expectation is that a setTimeout delay breaks that link. What I...

A short one. If you repeatedly overwrite the innerHTML of the <div> that contains a Silverlight control, IE would crash. The Silverlight object didn't even need to have a source — an empty control...

I was lucky to find this one while testing Silverlight 2.0 Beta. The normal way to access a Silverlight control's XAML DOM from JavaScript is through...

After playing around for a while with Flash's allowScriptAccess and allowFullScreen parameters, I came across a way to have a Flash object load and interact with a remote SWF file on a different...

I was lucky to find this one. While poking at IE's ExecWB method, I discovered that when you call it with the IDM_PRINTPREVIEW command on an iframe, the third parameter — normally a printer name — is...

After playing around for a while with XAML's <Frame> element and some earlier PDF work, I noticed that loading an HTML page inside a XAML Frame seemed to inherit a surprisingly elevated security...

I was looking at how Adobe Acrobat Reader handled links embedded in PDF files when the PDF was loaded inside an IE iframe. I found that a PDF crafted with an internal link pointing to a file:/// URL...

Earlier UXSS variants using cached iframe documents required reloading the main page and using window.opener as the storage mechanism. I was looking for a simpler version and found one: by caching...

This one surprised me. By combining two techniques — loading HTML inside a XAML <Frame> element, and then using the ExecWB IDM_PRINTPREVIEW trick to open a privileged modal — it became possible to...

I was applying the cached-Document technique to IE's internal res:// protocol URLs — specifically res://ieframe.dll/dnserror.htm, the DNS error page. After caching the Document of an SWF-loaded...

On the same day as the res:// crash, I was experimenting with what happened when you appended a # fragment to the same res://ieframe.dll/dnserror.htm URL in the cached-document navigation. Instead of...

Continuing the investigation of what XAML Frame pages could access that standard Internet Zone pages could not, I found that <img> tags with file:/// URLs loaded successfully inside a XAML Frame. A...

I was looking at what local file access XAML Frame pages had compared to standard Internet Zone HTML pages. I found that inside a XAML Frame, you could set the src of a <script> element to a local...

IE7 introduced a security enhancement that blocked window.prompt in the Internet Zone and replaced it with the gold Information Bar, specifically to prevent phishing sites from mimicking login...

I was exploring a subtle difference between location.href = "about:blank" and document.URL = "about:blank" when called from inside an iframe. They behave differently in terms of which security domain...

While exploring the document.URL = "about:..." quirk from the IE 5.5 research, I found that XAML <Frame> elements in IE behaved differently from ordinary HTML iframes. Inside a XAML Frame, the about:...

While working on MSRC case 7571 — which involved using a vulnerable launchurl method to run local executables — I found a variation that went further: it was possible to use the same technique to...

I was exploring unusual combinations of IE-specific APIs and found that creating a createPopup() from inside another createPopup()'s parentWindow, and then setting the inner popup's innerHTML to...

I had previously reported a UXSS using Flash's getURL with the POST method. When Flash 9 shipped, I checked whether the GET method variant — which had been fixed in Flash 6 through 8 — was still...

This one surprised me. I noticed that Flash's getURL() function, when called with the "POST" method and a javascript: URL as the target, could execute script inside an IFRAME on a different domain....

After finding the Office XP ActiveX file-existence check, I wondered whether the Flash plugin had a similar observable side channel. It did. By setting the Movie property of a Flash <object> element...

I was looking at ActiveX controls that were marked safe for scripting but had interesting side channels. The MSDDSC.DDSC Dashboard Components control (installed with Office XP) exposed an Export...

The XP-only URL spoof using onbeforeunload and history.go(0) stopped working on Windows Vista. After some digging, I found a small adjustment that restored the behavior on Vista: instead of calling...

I was looking at address bar spoofing scenarios and found that combining window.onbeforeunload with history.go(0) produced a clean URL spoof on Windows XP. When a user typed a new URL and pressed...

I was curious whether caching execScript — the IE-specific method for running code in a window's context — from an iframe would survive a page reload in the same way that window.open had. It did. By...

The day after finding the resident cached window.open technique, I started thinking about combining it with a setCapture trick from an earlier UXSS case. The result was something a bit more...

I was looking at what happened when you cached method references from iframe contexts rather than document objects. It turned out that grabbing the window.open method from an iframe and stashing it...

This doesn't crash IE — it freezes it completely. The browser stops responding to input, can't be minimized, maximized, or closed, and disappears from the Alt+Tab list. It's alive but halted,...

The day after finding the UXSS variant using a cached iframe Document, I was curious what would happen if you navigated the same stale reference a second time in quick succession. It turned out that...

I was playing around with how IE handled the Document object of iframes loaded with non-HTML content — things like SWF, MHT, or XAML files. After some persistence, I found that caching that Document...

Passing the Application property of an IFRAME to the Enumerator constructor closes the entire browser — all tabs, no prompts — on IE7. The Application object is the top-level IWebBrowser2 interface,...

Another entry in the frameElement UXSS collection, but this one uses pure HTML — no Flash, XAML, or XML. The trick is to cache an IFRAME's contentWindow, then destroy the IFRAME with outerHTML, and...

Another variation of the setCapture() UXSS (originally case #6445). The original used setCapture() on the top window; the first variation used it inside a same-domain IFRAME. This one moves the...

Changing an HTC behavior's URL to cache its document, then changing it back, and then writing an innerHTML with a deferred script to the cached HTC document crashes IE. The size of the HTC file...

The same frameElement UXSS pattern works with a Flash SWF file as the bridge. Loading a SWF inside an IFRAME that redirects (via getURL) to a different-domain HTML page gives that HTML access to...

Loading a XAML file in an IFRAME and then clicking a hyperlink inside the XAML that targets a different-domain HTML page gives that HTML page access to frameElement. The XAML acts as an...

The same frameElement leak that works with XAML also works with an RSS/XML file. Loading an XML feed inside an IFRAME and clicking a link in it that points to a different-domain HTML page gives that...

An HTML page hosted inside a WPF/E XAML <Frame> can call createPopup() and show it with coordinates far outside the normal browser window bounds. The popup can cover the entire screen including areas...

An HTML page hosted inside a WPF/E XAML <Frame> element can read the clipboard without any prompt. The XAML hosting context apparently gives the embedded HTML a different trust level, or bypasses the...

Caching a WPF/E (Windows Presentation Foundation Everywhere — the early XAML browser plugin) Canvas node in window.opener, reloading the page, and then calling add() on the cached node causes the...

A resident createPopup that tries to access its creator IFRAME's parent after that IFRAME is gone (because the page reloaded without it) crashes IE7. If the second load happens to include other...

Enabling designMode on an IFRAME's document and then navigating the IFRAME to an XHTML file that contains a DOCTYPE declaration crashes IE. The designMode state apparently conflicts with XHTML's DTD...

Loading an .mht (MHTML archive) file inside an IFRAME from a different domain gives the MHT content access to frameElement — the IFRAME element in the parent page. From frameElement.ownerDocument,...

Because IFRAMEs expose the WebBrowser Control's Navigate2 method, a web page can use Navigate2 with a PIDL (shell folder identifier) to open special shell folders — like the user's Documents, Control...

Caching the Application property of an IFRAME before navigating it to a cross-origin URL gives unrestricted access to the cross-origin document. The Application property returns the top-level...

An IFRAME exposes a Document property (capital D) from its WebBrowser Control interface. When the IFRAME loads an RSS/XML file first, and then navigates to an arbitrary URL or local file path by...

Using an IFRAME as a WebBrowser Control, it's possible to call ExecWB(IDM_COPY, OLECMDEXECOPT_DONTPROMPTUSER) and ExecWB(IDM_PASTE, OLECMDEXECOPT_DONTPROMPTUSER) to copy and paste clipboard contents...

IFRAMEs in IE expose the same COM interface as the WebBrowser Control, which means they have methods like ExecWB and ShowBrowserBar. Calling ExecWB(2, 1) from an IFRAME closes all browser tabs...

A createPopup shown during the onunload event persists after the user navigates away. The popup stays visible on screen even though the page that created it is gone. It's a minor issue but shouldn't...

A Flash movie can trigger a file download using getURL("file.exe", "_top", "GET") without triggering IE's Information Bar (the "GoldBar" that warns about downloads). The download simply starts — no...

Calling document.write inside an onbeforeunload handler crashes IE7. The crash only happens when an IFRAME is present on the page and when the navigation is triggered by a setTimeout or by typing a...

Setting screen.updateInterval to a very large value prevents IE from repainting the window after navigation. The user can change URLs, but the browser won't visually update unless they scroll,...

A .NET user control hosted in IE can store a reference to an IFRAME's document object. After the IFRAME navigates to a different domain, the stored reference remains valid and bypasses all...

A hosted .NET control can write arbitrary text to the clipboard without triggering IE's security prompt, because Clipboard.SetDataObject is a .NET framework call that bypasses the browser's clipboard...

Caching a method from the window object (like window.moveTo) in window.opener, reloading the page, and then accessing window.opener crashes IE7 with an access violation. IE6 throws an "Access Denied"...

The navigator object is shared across all frames in the same browser process — it's the same object regardless of which domain's script is running. This means a cross-origin page can store a...

A variation of the clipboard phishing technique that works without the RefEdit ActiveX — instead it intercepts the oncopy event and temporarily swaps the text in the input field before the clipboard...

Calling document.execCommand("SaveAs") on the document of a createPopup or htmlFile ActiveX crashes IE. Both off-screen document containers lack the necessary hosting context for the Save As dialog,...

The Office XP RefEdit ActiveX control has a Cut method that writes to the clipboard without triggering IE's clipboard permission prompt. A page can use this to silently replace whatever text the user...

Two lines of script close the current IE7 browser window or tab without any confirmation prompt. The trick is calling window.open("","_self") first, which reassigns the window's navigation target to...

After playing around for a while with the original setCapture() UXSS technique (case #6445), I found that the fix didn't cover all variations. Instead of capturing events on the top window, this...

Running a specific two-line script through eval — but not directly — causes IE to consume 100% CPU indefinitely. The code creates an htmlFile ActiveX and calls createElement with an OBJECT tag...

The HTML Help control (hhControl) has a TextPopup method that displays a text popup over a specified screen area. By passing very large coordinates, a page can create a popup that covers the entire...

The Excel spreadsheet ActiveX control exposes a cells().hyperlink object that can be set to any URL — including javascript: URLs — and then followed programmatically. When followed from inside a...

The old Scriptlet Component ActiveX (CLSID AE24FDAE-03C6-11D1-8B76-0080C744F389) loads a URL and exposes its document in a way that bypasses same-origin restrictions. A page in a different domain...

A collection of four separate crash cases, found around the same time. Each one is a standalone reproducer.

I was playing around with the htmlFile ActiveX and found that by naming its internal window and then using window.open to navigate it to any URL, the parent page retains full DOM access to that...

This entry contains compiled artifacts (.zip archives of the PoC files). The techniques involved creating popups that "stick" to the screen or cover it even after navigation — exploiting IE6's...

Renaming an object window inside a dead htmlFile ActiveX to _unspecifiedFrame and then calling open() on it crashes IE. The name _unspecifiedFrame is apparently an internal sentinel value, and...

Creating a resident createPopup inside an IFRAME and then running a setInterval that checks parent causes an access violation after the user navigates away. The local var declaration inside the...

This combines the residency trick with the nested-object popup bypass. A createPopup made resident inside an IFRAME survives the IFRAME navigating away. After the navigation, an OBJECT...

An XSL stylesheet that calls transformNode on itself — by loading the same stylesheet recursively via an embedded script — causes a stack overflow in MSXML. The circular transformation reference...

Recursively nesting IFRAMEs by having each page write a new IFRAME pointing to itself eventually overflows the stack. A counter stored on top limits the recursion to 500 levels, after which a...

Loading an OBJECT TYPE="text/html" that points back to the same file (with an anti-cache query string) creates an infinite nesting of document objects, eventually overflowing the stack. It's IE's...

Programmatically calling .click() on an INPUT TYPE="FILE" element that lives inside a createPopup or htmlFile ActiveX crashes IE. The file picker dialog is designed to operate inside a real browser...

Calling the Navigate method on the Shell.Explorer ActiveX (created with new ActiveXObject("Shell.Explorer")) crashes IE. The control is initialized without a host window, and navigating it before it...

Accessing the bgColor property of a freshly created htmlFile ActiveX crashes IE. However, if any property on the ActiveX's parentWindow is set first — even a completely arbitrary one — the crash...

The Shell.Explorer.2 ActiveX exposes a FullName property that returns the full path to the IE executable on disk. The same control's ShowBrowserBar method lets a page script open IE's built-in...

I noticed that when a WebBrowser Control is embedded in a page, it exposes browser-level events — including NewWindow3 — to the host page's scripts. This means a page can intercept the URLs of any...

This address bar spoof for IE6 uses the htmlFile ActiveX to call window.open via execScript, which unlocks a navigation path that isn't available when called directly from a page script. The sequence...

I noticed that when IE7 opened a res:// protocol URL like res://ieframe.dll/dnserrordiagoff.htm#http://www.google.com, it would rewrite the address bar to show only the fragment —...

A simpler residency technique that doesn't need a createPopup at all — just the htmlFile ActiveX and window.opener. Creating an htmlFile ActiveX, writing a setInterval script into it, and storing it...

This one surprised me — the IFRAME doesn't actually participate in the logic, but the script only stays resident if one is present on the page. Without it, the createPopup gets cleaned up normally....

This is a "pseudo" UXSS because it requires cooperation from the target page — the cross-origin document has to run top.opener = document. Once it does, the parent page can access that document...

After some persistence I found a way to open an unrestricted pop-up window on both IE6 and IE7 using the htmlFile ActiveX object. The trick is to store the ActiveX reference outside an IFRAME, kill...

This technique keeps a script alive even after the user navigates away from the page — like a "terminate and stay resident" program from the DOS era. By creating an htmlFile ActiveX object, writing a...

This variation doesn't use the mhtml: protocol at all. Instead, it relies on the <BASE HREF> tag pointing to a server-side redirect. A createPopup() that reloads itself inherits the redirected...

The WebBrowser Control ActiveX (the same engine that powers IE) exposes a Navigate method that opens URLs without going through the pop-up blocker. Embedding a tiny, invisible instance of the control...

I was playing around with the WebBrowser-family ActiveX controls and noticed that one of them exposed a DOM.Script.open() method that bypassed the pop-up blocker entirely. The control essentially...

I was lucky to find this one. The technique exploits how IE handles the mhtml: protocol combined with a server-side redirect to strip the Same Origin Policy boundary entirely. By loading a page via...

This one is not mine — a coworker found it when IE 5.5 shipped. I included it in a report to MSRC because it was still working on IE 6 and, at the time, IE7 as well. Two lines.

When SP2 shipped, Microsoft added size restrictions to createPopup() — the popup window could no longer extend beyond the browser's own boundaries. It was a reasonable fix for a technique that was...

I named this one "Lazarus Resurrection" because the script dies and comes back to life. The idea was to keep a piece of JavaScript running even after the user has navigated away from the page — the...

The finding was simple to describe: load any site cross-domain, then read its DOM. No user interaction required beyond visiting the page. It affected IE 5.5, 6.x, and IE7.