IE10 Sandbox Bypass: Invalid Server Redirect URL Loads Error Page Outside Sandbox

I found that when a sandboxed window received an HTTP 302 redirect to an invalid URL scheme (like badurl:), IE loaded its default error page outside the sandbox constraints. After going Back from the error page, the window remained out of the sandbox. This was inspired by a David Ross idea for escaping the sandbox without JavaScript — all manual steps in the original test were done with JS disabled.

<!-- index.html -->
<iframe sandbox="allow-popups" src="sandboxed.html"></iframe>

' redir.aspx - server side
Response.Redirect("badurl:")  ' IE loads an INVALID URL page, completely out of the Sandbox.

The sandboxed iframe opened a new popup (outofsandbox.html), which navigated to a server page that returned a 302 Location: badurl:. IE loaded the error page for the invalid URL in a non-sandboxed context. Pressing Back brought the user to outofsandbox.html — but now without sandbox restrictions, making cookies and other restricted resources accessible.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 UXSS: New Window pushState + designMode + Back Button Gives Cross-Origin DOM Access] :: [IE10: mhtml: Protocol Bypasses file:// Restriction and Loads Local Mark-of-the-Web Files] >