Another variation on the htmlFile pop-up blocker bypass, this time using a destroyed iFrame's ActiveX object as the carrier. Creating the htmlFile inside an iFrame and then navigating the iFrame away...

Combining createPopup and setCapture produced a clean clickjacking setup. The popup appeared over the target iFrame as a visible overlay, but because setCapture redirected mouse input to the main...

A brief crash report. Calling open() and close() on a document created either by document.implementation.createHTMLDocument() or obtained as an XHR responseType="document" caused a null pointer...

This one surprised me. MSXML's XSLT <xsl:script> block ran with the origin of the page's <base href>, not the actual page origin. By setting a <base href> to a target domain and embedding script in a...

I was lucky to find this one while testing the HTML5 sandbox implementation. IE11 had a list of default accelerator URLs — like bing.com and live.com — that were treated as trusted redirectors....

This one combined several of the techniques I had been exploring — a cached iFrame open reference, a background navigation, and a createPopup — into a persistent in-tab keylogger. The popup would...

This variant used an htmlFile ActiveX object to keep script alive across navigations in a new tab. A helper page in the new tab created the htmlFile and saved a reference back to the opener, then...

This was a port of an earlier UXSS chain (originally found on IE10) updated to reproduce on IE11 RTM. The technique used a server-side redirect, a cached ActiveXObject reference, and a domainless...

This variation on the resident-script theme used a Web Worker to stay alive across navigations. By spawning the Worker inside the onpagehide handler, the Worker thread kept running long after the...

After playing around for a while with how IE handles redirect chains inside iFrames, I found a way to fake the HTTP Referer header sent to a destination page. The technique could be used to fully...

A brief crash report. Saving a reference to an iFrame's Intl object and then navigating the iFrame to about:blank caused a null pointer dereference in jscript9!ArenaAllocator::AllocZero when the...

A brief crash report. Setting an iFrame's location to a mhtml: URL — including a bare mhtml: with no path — triggered an assertion failure in urlmon!CBSCHolder::RemoveNode, the same root cause as the...

A brief crash report. Opening a modeless dialog pointed at a server-side redirect and then immediately scheduling an alert inside that dialog produced an assertion failure in...

This one was a logic issue rather than a crash. When a sandboxed iFrame with allow-popups opened a new window and the user then typed a different URL in that new window's address bar, the new URL...

A brief crash report. Loading an MP3 file into a sandboxed iFrame triggered an assertion failure in urlmon!CINetHttp::LastRequestHandleClosed.

A brief crash report. Enabling designMode in an iFrame and then calling top.document.open() from that iFrame caused a null pointer dereference in MSHTML!CJScript9Holder::ClearHostObjects.

After playing around with showModelessDialog and its external property, I found that caching a reference to the dialog's external object before navigating it away allowed continued access to the...

A brief crash report. Navigating to any URL prefixed with the mhtml: protocol scheme crashed IE11 with an assertion failure in urlmon!CBSCHolder::RemoveNode.

A brief crash report. Opening a new window with RSS feed XML content and closing it immediately triggered an assertion failure in MSHTML!CDwnCrit::Enter.

A brief crash report, though this one was classified as PROBABLY_EXPLOITABLE. Loading an RSS feed XML in a named iframe and then calling window.open("about:blank", "iFrame") to retarget that frame...

This was one of the more involved UXSS chains I worked on. It combined a server-side redirect, a cached ActiveXObject reference, and a "domainless" about:blank window to ultimately execute script...

This variation on resident script execution used an HTML <object> element and an external window to keep a script context alive after the user navigated away. By holding a reference to the object's...

While playing around with createPopup again, a variation of an older pop-up blocker bypass surfaced. The trick involved instantiating an htmlFile ActiveX object inside a createPopup, destroying the...

After playing around with back-navigation timing, I found that a tab returning from a history.back() could display dialogs that appeared to originate from whatever tab had focus at the time —...

IE11 failed to hide createPopup windows when the user switched to a different tab. A popup created in one tab would remain visible over every other tab, allowing an attacker to overlay arbitrary...

A brief crash report. Reading the screenLeft property on a hidden createPopup's parentWindow caused a null pointer dereference in MSHTML!CInPlace::ClientToScreen.

By navigating to a URL that never responds (a server-side Thread.Sleep), and then letting the user type a new address, the browser would update the address bar to show the new URL while keeping the...

This one surprised me. Setting location inside onbeforeunload while the user simultaneously types a new URL in the address bar caused the entire browser window to close — and sometimes left an...

Similar in spirit to the onbeforeunload variant, this one used the onpagehide event on document.body to keep script running after the user had navigated away. Setting the handler on the body element...

IE11 introduced background navigation caching, which was meant to freeze and hide a page when the user navigated away. I was lucky to find that this freeze didn't apply to plugins running inside...

A brief crash report. Calling execCommand("CreateLink") on a text range that spanned both styled and unstyled text triggered a null pointer dereference in...

A brief crash report. Calling open() on a window object after it had already been closed caused IE11 to access a null pointer and crash the tab.

This one surprised me. By assigning any object (rather than a function) to window.onbeforeunload, and then using window.onunload for the real payload, script from the original page continued...

I was lucky to put together a set of JavaScript puzzle challenges for a BlueHat/BlackHat session. Each challenge explored a quirk or edge case in Internet Explorer that required creative thinking...

I was lucky to find this one while looking at how the F12 memory profiler initialized its console object. The vulnerable code in perftools/memory/remote.js wrote directly to realWindow.console, and a...

After playing around for a while with the F12 DOM Explorer, I found another spot where the tools consumed page-controlled data without proper isolation. This time the vulnerable line was in...

After playing around with IE's F12 developer tools for a while, I noticed that the DOM Explorer ran certain operations with elevated privileges. This one surprised me — by intercepting...

This one surprised me. While exploring how the F12 DOM Explorer stored selected elements, I realized that elements from cross-origin iframes were being placed into a shared array on the top window....

At the end of this research cycle I compiled a collection of variations on previously reported bugs — techniques that were close enough to existing MSRC cases to warrant documenting as related...

The F12 Developer Tools in IE used addEventListener on the host page's window to communicate with the inspected tab. If a page overrides window.addEventListener, it intercepts F12's communication and...

A sandboxed iFrame with only allow-popups should be able to open links in new tabs but the new window should remain sandboxed. On IE11 Blue build 9412, however, clicking a link from the sandboxed...

A broader penetration test of Windows 8 managed (WinRT/C#/XAML) apps, examining how web content handled by WebView controls interacted with the managed app layer. The findings were documented and...

In a Windows 8 WinJS app context, overriding the global eval method lets a hosted web page intercept calls the app framework makes internally — including the call used to retrieve...

A follow-up to the April batch review, covering four additional Windows Store apps with security findings. A companion document also tracked apps reviewed in previous cycles. The issues found were...

In April 2013 I completed a survey of Windows Store apps and identified twenty that had exploitable security issues. The findings covered a range of vulnerability classes common to the WinJS app...

Mixing document modes between a parent page (running in IE5/quirks) and an embedded <object type="text/html"> (running in IE10) creates a situation where the inner frame's history.pushState affects...

Inserting an iFrame whose src attribute is a javascript: URL that simultaneously destroys the iFrame and calls Object.getOwnPropertyNames(window) crashes the browser. The crash was classified...

When inside a search result page loaded via an OpenSearch provider with the preview pane enabled, the Trident instance runs with fewer restrictions than a normal web page. This unlocked three...

A CSS expression that throws a JavaScript error, combined with an onerror handler that writes a page reload script, creates an infinite loop that hangs the browser.

CSS expressions on visited links generate a different number of JavaScript errors than on unvisited ones. By counting errors via window.onerror and taking an average over repeated measurements, it is...