Spoofing the User's Saved Webpage via pushState + Server Redirect

Calling history.pushState to change the displayed URL to a redirect page, then having the user save the page with Ctrl+S, caused IE to save the redirect’s destination — not the current page content — as the MHT file. The user would believe they were saving one thing and end up with another.

history.pushState("","","redirect.aspx");

redirect.aspx redirected to bing.com. When the user pressed Ctrl+S to save the page, IE used the URL shown in the address bar (now redirect.aspx) as the source. Saving as MHT caused the browser to fetch that URL, follow the redirect, and save Bing’s content instead of the actual displayed page. The visual mismatch between what the user saw and what they saved could be used to trick someone into saving a malicious page they believed came from a trusted source.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS: Injected iFrame + Server Redirect + javascript: Location] :: [Capturing Address Bar Input via createPopup and onbeforeunload] >