| May 2017 | SOP bypass / UXSS - Stealing Credentials Pretty Fast (Edge) |
| Apr 2017 | SOP bypass / UXSS - Tweeting like Charles Darwin (Edge) |
| Apr 2017 | SOP bypass courtesy of the reading mode (Edge) |
| Mar 2017 | SOP bypass / UXSS - More Adventures in a Domainless World (IE) |
| Feb 2017 | SOP bypass / UXSS htmlFile in IFrame (IE) |
| Dec 2016 | SOP bypass / UXSS - Adventures in a Domainless World (Edge) |
| Sep 2016 | Workers SOP Bypass importScripts and baseHref (Edge/IE) |
| May 2014 | UXSS: Injected iFrame + Server Redirect + javascript: Location |
| Apr 2014 | UXSS: htmlFile ActiveX + about:blank Meta-Refresh + Link Click |
| Mar 2014 | UXSS: X-Content-Security-Policy Sandbox + Cached window.open + xml Script Tag |
| Feb 2014 | UXSS: iFrame javascript: URI Executes in base href Origin |
| Feb 2014 | UXSS: New Window javascript: URI Executes in base href Origin |
| Dec 2013 | UXSS: Free Code Execution in the res:// Domain via InsertImage |
| Dec 2013 | UXSS via iFrame document Cached in modelessDialog returnValue |
| Nov 2013 | UXSS via XSLT Script and Base Href Origin Confusion |
| Nov 2013 | UXSS on IE11: Domainless about:blank Full Cross-Origin Access |
| Oct 2013 | UXSS via Cached External Object in modelessDialog |
| Sep 2013 | UXSS via Domainless about:blank and htmlFile ActiveX |
| Jul 2013 | F12 DevTools DOM Explorer UXSS via Select Element |
| Mar 2013 | UXSS via Cached createRangeCollection After Redirect |
| Mar 2013 | UXSS via iFrame getSelection After Redirect |
| Mar 2013 | UXSS via createRange Duplicate and Function Constructor |
| Mar 2013 | UXSS via Known Named Element in Cached Forms Collection |
| Mar 2013 | UXSS via iFrame Redirect and location javascript Protocol |
| Mar 2013 | IE11 UXSS via replaceState Spoof and New Window |
| Mar 2013 | UXSS via Cached DOMParser Instance After Redirect |
| Feb 2013 | UXSS via Cached childNodes and Web Worker — IE10/IE11 Variant |
| Feb 2013 | IE10 UXSS: Sandbox Headers Paradox |
| Oct 2012 | IE10 UXSS via Injected JavaScript Link |
| Aug 2012 | IE10 UXSS via Cached childNodes and New Thread |
| Jul 2012 | IE10 UXSS via Cached document.all and New Thread |
| Jun 2012 | IE10 UXSS: New Window pushState + designMode + Back Button Gives Cross-Origin DOM Access |
| Jun 2012 | IE10 UXSS: Sandbox Paradox — javascript: URL in Sandboxed iframe Gives Cross-Origin DOM Access |
| May 2012 | IE10 UXSS: pushState + Redirect + history.back() Retains Cross-Origin DOM Access |
| May 2012 | UXSS: Meta-Refresh to about:blank Inherits Parent Domain Instead of iframe Domain |
| May 2012 | IE10 UXSS: Caching document.all from New Window Before Server Redirect |
| Feb 2012 | IE10 UXSS: XMLHTTP in Redirected iframe with designMode Accesses Cross-Origin Content |
| Feb 2012 | IE10 UXSS: createPopup document.write in Redirected iframe Changes Popup Origin |
| Jan 2012 | UXSS: Caching Modal External Object and Sharing document via returnValue |
| Dec 2011 | IE10 UXSS: Caching document.all Collection Survives Server Redirect |
| Dec 2011 | IE10 UXSS: Caching Window Reference via HTC in Math Object Survives Redirect |
| Dec 2011 | IE10 UXSS: Cached XHR Object Retains Cross-Origin Access After Redirect |
| Dec 2011 | IE10 UXSS: Blob URL Entropy Is Low Enough to Brute-Force Cross-Origin Image Data |
| Jul 2011 | UXSS: VBScript Error Bubbles Up to Expose Cross-Origin Constructor |
| Jun 2011 | UXSS: Mixing Document Mode Across Tridents Using MHT |
| May 2011 | UXSS: Caching the ActiveXObject Constructor Across a Redirect |
| May 2011 | Pseudo-UXSS: external.returnValue Shared Across Domains in Modal Dialogs |
| May 2011 | UXSS: createElement Cached Reference Survives Redirect |
| Apr 2011 | UXSS: Cached document.styleSheets and document.selection Survive Redirect |
| Feb 2011 | IE9 UXSS: Resident createPopup Function Call |
| Jan 2011 | IE9 UXSS: Generate Error to Grab the Error Handler's Caller Function |
| Dec 2010 | IE9 UXSS: window.open Redirect with setTimeout Code Execution |
| Nov 2010 | IE9 UXSS: Location.prototype.replace Intercepts Cross-Origin Frame-Breaking |
| Nov 2010 | Drag-Drop UXSS Attempt (Unfinished) |
| Oct 2010 | IE9 UXSS: Generate an Error in an IFrame and Grab the Exception Object |
| Oct 2010 | IE9 UXSS: Window Members Set in onunload Persist Across Cross-Origin Navigation |
| Sep 2010 | IE9 UXSS: location.replace with javascript: URL Bypasses Protocol Safety |
| Sep 2010 | IE9 UXSS: Free Access to Non-HTML IFrame Content from Inline Events |
| Sep 2010 | IE9 UXSS: location Object Called as a Function Bypasses javascript: Protocol Safety |
| Sep 2010 | UXSS: Cached childNodes Collection Survives Cross-Origin Redirect |
| Sep 2010 | IE9 UXSS: Object.defineProperty Intercepts Cross-Origin Navigation |
| Aug 2010 | IE9 UXSS: Reading Non-HTML IFrame Content from an Inline Event Handler |
| Aug 2010 | IE9 UXSS: Getting Function Constructor from a Cached location.replace |
| Aug 2010 | IE9 UXSS: Overriding Window Methods or Getting Function via Constructor |
| Aug 2010 | IE9 UXSS: document.execCommand InsertImage Injects into Cross-Origin IFrame |
| Jul 2010 | IE9 UXSS: Accessing Cross-Origin Content via window.self |
| Jun 2010 | IE9 UXSS: Classic Window Object Caching After Cross-Origin Redirect |
| Jun 2010 | IE9 UXSS: htmlFile ActiveX Object Double-Reload Redirect |
| May 2010 | UXSS: Cached Constructor Object Survives Cross-Origin Redirect |
| Apr 2010 | UXSS: InsertImage and CreateLink execCommand Bypass Same-Origin Policy |
| Apr 2010 | UXSS via Silverlight enableHtmlAccess |
| Feb 2010 | UXSS: Overriding a Trident Method on an IFrame Before Redirect |
| Jan 2010 | UXSS: Cached document.all Collection Survives Cross-Origin Redirect |
| Jan 2010 | Pseudo-UXSS via Multipart MHTML IFrame |
| Dec 2009 | UXSS: Flash getURL Executes in Parent Context via HTML Object |
| Jul 2009 | UXSS via Frozen IFrame Cached Event |
| May 2009 | UXSS via Silverlight Cached Method InvokeSelf |
| Mar 2009 | UXSS — IE8 defineProperty Accessor Survives Cross-Origin Redirect |
| Mar 2009 | Pseudo-UXSS — Injecting Variables into a Cross-Origin Window via Delayed Redirect |
| Feb 2009 | UXSS via offsetParent as frameElement |
| Feb 2009 | UXSS via setCapture and offsetParent (Superseded) |
| Nov 2008 | UXSS via CreateLink execCommand Across Origins |
| Nov 2008 | UXSS via InsertImage execCommand Across Origins |
| Feb 2008 | UXSS via Silverlight onLoad Argument Bypassing Cross-Origin Check |
| Oct 2007 | UXSS Simplification (WOOBR 977211): Cached SWF Document Without Reload |
| Oct 2007 | UXSS (SOP Bypass Attempt): IE 5.5 document.URL Set to about: Script |
| Oct 2007 | UXSS via XAML Frame: document.URL about: Script Injection |
| Sep 2007 | UXSS: IE7 + Flash 9 getURL GET Method Allows Cross-Origin Script Injection |
| Sep 2007 | UXSS Using Flash getURL POST Method |
| May 2007 | UXSS Variation: Cached window.open with setCapture Across All Pages |
| Apr 2007 | UXSS via Cached Non-HTML Document and Page Reload |
| Apr 2007 | UXSS - Cached contentWindow frameElement |
| Apr 2007 | UXSS - HTC setCapture Variation - Case 6445 |
| Apr 2007 | UXSS - SWF frameElement |
| Apr 2007 | UXSS - XAML frameElement |
| Apr 2007 | UXSS - XML Feeds frameElement |
| Apr 2007 | UXSS - MHT frameElement |
| Apr 2007 | UXSS - Masked WebBrowser Control Cached Window |
| Mar 2007 | IE7 UXSS - Read Local Files and URLs Through Feeds |
| Feb 2007 | userControl Cached Document UXSS |
| Feb 2007 | UXSS - Navigator Shared Properties and Methods |
| Jan 2007 | UXSS Using Excel Control |
| Jan 2007 | UXSS - Pseudo Cross-Domain Scriptlet Component |
| Jan 2007 | UXSS Using Just htmlFile |
| Dec 2006 | Address Bar Spoof IE7 - UXSS Needed |
| Nov 2006 | UXSS - Pseudo Cross-Domain |
| Nov 2006 | UXSS Using BaseHref Redirect and createPopup |
| Oct 2006 | mHTML URL Spoof - ReadFile - UXSS |
| Feb 2006 | UXSS via OBJECT + createPopup + IFRAME (MSRC 6417) |