IE10 Sandbox Bypass via Default Search URL

I was lucky to find this one — it is surprisingly simple. A fully sandboxed iFrame (with no flags at all, not even allow-scripts) could still break out by triggering a default search query. The browser would load the search result in the top frame, completely outside the sandbox.

<!-- index.html -->
<iframe sandbox src="sandboxed.html" width="300" height="50"></iframe>

<!-- sandboxed.html: the link uses the search: protocol shortcut -->
<a href="site:www.cracking.com.ar">Search for "site:www.cracking.com.ar" breaking out of the Sandbox</a>

Clicking a link whose href begins with a search query term (rather than a normal URL scheme) causes IE to hand it off to the configured default search engine. That hand-off bypasses the sandbox entirely and loads the search page in the top-level frame. On Win7/IE10 this reproduced almost every time; on Win8/IE10 an authorization dialog occasionally appeared. Tested on Win8 RP IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox Bypass via New Window Write-Back] :: [IE10 Address Bar Spoof via history.replaceState] >