When an iframe was sandboxed with allow-scripts and allow-top-navigation, assigning a javascript: URL to parent.location was permitted — executing code in the parent's context. Interestingly,...

Calling window.scroll, scrollBy, or scrollTo using .call() with a different frame's window as the context caused IE10 to crash with a classification of PROBABLY_EXPLOITABLE.

Combining an AppCache manifest with a fallback entry and a meta-refresh tag caused IE10 to crash after a few reloads.

The history.pushState API in IE10 Preview 3 did not always refresh the address bar correctly when navigating back and forth. By pushing a redirect URL into the history and immediately reloading, the...

A sandboxed iframe with only allow-scripts is not supposed to be able to change its parent's URL. But any of the history navigation methods — history.back(), history.forward(), history.go() — could...

This one surprised me. By injecting an iframe into a newly opened window before it redirected to the target site, and then creating a createPopup from that injected frame, I could attach a keylogger...

When a createPopup call was blocked because the tab did not have focus, the Infobar that appeared to notify the user showed the local machine name instead of the URL of the page that triggered the...

Rendering a Flash (or Silverlight) object inside an iframe's createPopup and then navigating that iframe while the popup was still visible caused IE9 to crash.

During a focused review of Silverlight 5, I came across several interesting issues spanning denial of service, elevation of privilege, cross-origin access, and an unusual persistence technique. These...

After a patch was issued for a createPopup security issue (MSRC 11355), I found a way to recreate the same effect by taking advantage of a timing window. When an iframe is destroyed by replacing its...

After loading, a sandboxed iframe with only allow-scripts could inject a Flash object that used the ActionScript GetURL method to execute JavaScript in the parent window. The Flash call was...

A sandboxed iframe restricted to only allow-scripts could open a fully unsandboxed window by inserting a Windows Media Player ActiveX object and calling its launchURL method. The new window opened...

A sandboxed iframe with only allow-scripts set could bypass restrictions on cookie access and same-domain content reads by creating a new document object through...

Assigning a CSS behavior (.htc file) to an element in a document created with document.implementation.createHTMLDocument crashed the browser.

This was a variation of an earlier internal dialog elevation bug that still worked after the initial patch. By overriding removeAttribute on an element before calling...

This is a VBScript variant of a technique I explored with JavaScript errors. When a cross-origin iframe calls execScript with a VBScript block that attempts to access the parent window, the resulting...

The XSS filter in IE correctly blocks a reflected XSS attempt when it can see that the referrer matches the attacker's origin. This bypass exploited a subtle behavior: when a main page is reloaded,...

This set of test cases explored whether content from a cross-origin iframe could be dragged and dropped into an editable element in the parent page. The baseline case showed that dragging XML content...

This was a lucky strike — the crash stumbled upon me while I was testing something else entirely. Dragging text out of an <input> or <textarea> element inside an XML file caused IE10 Preview 2 to...

Similar to the window.open.call(parent) technique I found earlier, this variation used the navigate method with a javascript: URL called on behalf of the parent to execute arbitrary code in the...

Even with only allow-scripts enabled and all other sandbox flags absent, a sandboxed iframe could break out of all restrictions by injecting an HTML <object> element with type="text/html" after the...

A sandboxed iframe with only allow-scripts set is supposed to be unable to load or read same-domain content — XMLHttpRequest is correctly blocked. But the old IE-specific <xml> island element, when...

I was lucky to find this one. A fully sandboxed iframe — no flags at all — could execute JavaScript in the parent window simply by embedding an SVG file with a javascript: xlink targeting _parent....

While looking at the IE10 sandbox flags, I found two ways to open new windows from a sandboxed iframe even when ms-allow-popups was not set. Both techniques worked even across origins, which made...

The W3C spec requires Web Workers to be same-origin, and IE10 Preview 2 enforced that correctly — until I tried using a server-side redirect. A worker created from a same-origin URL that immediately...

This one surprised me. By embedding an MHT file that forced a lower document mode (IE7 emulation) and then placing a cross-origin iframe inside it, I found that errors triggered when the inner frame...

After playing around with the IE10 sandbox for a while, I noticed that a fully sandboxed iframe could be used as a stepping stone to access the parent DOM through a modeless dialog. The trick was to...

The security="restricted" attribute on an iFrame is supposed to prevent any script execution inside it. I found that loading an XML document with an external XSL stylesheet inside such a restricted...

I was exploring whether the cached-object pattern that worked with Flash and iframe Document references also applied to Silverlight plugin objects. It did, and with an interesting twist: caching the...

The X-Frame-Options header is supposed to prevent a page from being embedded in an iFrame on another domain. I found that loading XML content inside an iFrame and referencing the protected URL as the...

This crash involved HTC (HTML Component) files and their cached document objects. By saving a reference to an HTC document, changing the behavior URL to destroy the cached document, and then...

This one was interesting to put together. The idea is to disguise a cross-origin drag-and-drop data capture as a fun basketball game. A transparent textarea sits over the game area, and when the user...

This was a novel history-sniffing technique that used the clipboard rather than CSS color measurements. When you select part of a hyperlink's text and paste it back onto itself inside a visited link,...

This UXSS worked by saving a reference to the ActiveXObject constructor inside an iFrame before it redirected to a target domain, and then using that cached constructor after the redirect to create...

This is what I would call a cooperative or pseudo-UXSS: both parties need to be set up for it to work, so it requires the attacker to control at least part of the modal dialog's content. The...

Another variation on the cached-reference UXSS theme. This time the object that survives navigation is a plain DOM element created with createElement. After inserting the element into the window's...

After discovering that persistent createPopup windows survive navigation, I found that trying to resize one manually would crash the browser. The popup shown before the redirect has resize handles...

By opening a modeless dialog from within an IFrame, saving a pointer back to the IFrame, and then reloading the main window (which destroyed the IFrame), the modeless dialog could create a...

Building on the earlier resident-popup findings, I put together a demonstration showing that a createPopup created before a redirect can capture keystrokes typed into the redirected page. The popup...

This crash was surprisingly compact. Creating an htmlFile ActiveXObject, initializing its Trident with open()/close(), executing a Refresh command, and then immediately deleting the reference caused...

This was an exploitable crash triggered by a user style sheet interaction with a SELECT element. Simply expanding a dropdown SELECT widget on a page that had a particular style sheet applied would...

This crash required an unusual setup: the Windows Media Player control in an iFrame on a different domain from the top window, calling launchURL repeatedly in a way that would always fail to...

The Windows Media Player ActiveX control had two ways to open a URL that both bypassed IE's popup blocker: a scriptcommand embedded inside a WMV file, and the launchURL method called directly from...

This is a variant of the cached-object redirect pattern. Instead of caching a collection like styleSheets, I saved a reference to a createPopup document object before the containing window redirected...

This UXSS relied on the fact that certain live collections returned by the DOM — specifically document.styleSheets and document.selection — remain valid and readable after the window they came from...

This was a simple interaction between Object.defineProperty and IE's context-menu Properties dialog. Redefining documentElement on an iFrame's document via a getter, and then asking IE to show the...

This was a creative path to code execution. IE's internal InsertImage dialog (invoked via document.execCommand("InsertImage", ...)) uses removeAttribute on image elements to clean up after itself. By...

This was a UI containment issue. A createPopup created from inside an HTML frame embedded in a XAML document is not constrained to the browser window — it can be sized to cover the entire screen....

Timing was the critical element here. By saving a reference to window inside an iFrame, immediately navigating the iFrame away, and then calling a method on the saved reference inside a try/catch,...

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.