IE9's InfoBar (the yellow notification bar) was supposed to show the domain of the page that triggered a blocked popup. By calling window.open() eleven or more times, the InfoBar's domain cache...

One of the more direct UXSS patterns: caching the window property of a same-origin IFrame and then redirecting the IFrame cross-origin left a live window reference that could read the new document's...

Storing a window method as an element inside a native JScript Array object, then reloading the IFrame that owned the window, and finally calling the cached method through the array caused a crash in...

Setting a built-in window method to null and then calling it inside a modeless dialog caused a crash in IE. The engine did not validate that a method was still callable before dispatching through the...

Opening a modeless dialog and then accessing the onmessage property of the opener window from within the dialog's script context caused a crash in IE9.

The htmlFile ActiveX object creates a hidden in-process HTML document. By having an IFrame write to it, reloading it twice in quick succession, and then reading its body, I was able to access content...

Caching the window reference of an IFrame, calling execScript on it to prime the scripting engine, and then destroying the IFrame's DOM node before calling location.reload() on the cached window...

The IE9 XSS filter blocked reflected <script> tags, but it did not account for the defer attribute. A <script defer> tag containing the injected payload was not matched by the filter's pattern,...

Caching the document object from an IFrame and then destroying the IFrame via outerHTML replacement left a dangling document reference. Writing to the body of that stale document caused an access...

Another of the three crashes found on 2010-05-17. Caching a Range object obtained via getSelection().getRangeAt(0) from an IFrame and then reloading that IFrame left a range pointing into freed...

The third crash from 2010-05-17 was the simplest of the batch. An HTML file containing only a bare <svg> tag with the XML namespace declaration was enough to crash the IE9 beta.

A variant of the cached-collection UXSS: caching a reference to a constructor function (Image, Option, XMLHttpRequest) from a same-origin IFrame, then redirecting the IFrame cross-origin, left a...

Two document.execCommand variants could be used to inject content or create links in the context of a cross-origin IFrame. The InsertImage variant worked by placing a contentEditable IFrame on an...

Silverlight's enableHtmlAccess parameter was intended to allow a trusted Silverlight application to interact with its hosting HTML page. When set to true for a cross-origin .xap file, it effectively...

IE had a registry-based feature control, FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE, that was supposed to prevent certain WebOC navigation abuses. When PresentationHost.exe (the Silverlight host) was not...

This was a remote code execution finding in a SharePoint component that exposed the WebBrowser control (WebOC) to web content via a CFD (Client-side Framework for DHTML) integration. The Navigate2...

A follow-up to the earlier 60 MB view-source crash, this time with a 70 MB buffer to confirm the issue was reproducible and to test whether the increased size changed the crash characteristics.

A Perl script generated an HTML file with a 60 MB junk buffer inside an HTML comment. Opening this file normally worked fine, but choosing "View Source" caused an access violation in IE that...

By overriding a method on a same-origin IFrame's window before redirecting it to another domain, I could inject a function that would fire in the new cross-origin context when the method was...

While testing Silverlight in Chrome 4.0.249.78, I stumbled across four Chrome-specific issues that were unrelated to Silverlight itself. They are a good reminder that security testing one component...

Caching a reference to document.all from a same-origin IFrame before redirecting it to a different domain left a live collection object that still pointed into the new document's DOM. Accessing...

This was an address bar spoofing technique that worked by intercepting the page's own unload event, stopping the navigation, and immediately reloading with modified content. The result was a page...

By attaching a behavior:url(...) to a <link> element pointing at a file:// URL and counting the number of scripting errors thrown, a page could determine whether a specific file existed on the local...

MHTML (MIME HTML) files can contain multiple parts in a single response, similar to a multipart email. I found that loading an MHTML file in an IFrame and then enumerating the IFrame window's...

Similar in spirit to the Flash IFrame residency bug from a few weeks earlier, this one used an HTML Object element instead. By saving a pointer to a member on the object's window before destroying...

A Flash movie loaded inside an HTML Object element (rather than directly embedded) could use getURL with a javascript: URL and have that script execute in the context of the parent page, not the...

IE was supposed to mask the real file system path when a user selected a file via <input type="file">, substituting C:\fakepath\filename. I found that selecting the text in the input element and then...

Creating a popup from inside an IFrame, then navigating that IFrame away while the popup was still visible, left an orphaned popup window. Manually resizing it afterward triggered an access violation...

This entry contained two distinct crashes involving createPopup() and page lifecycle events. Both exploited the fact that hiding or focusing a popup at exactly the wrong moment during navigation...

This was a demonstration prepared for a colleague, Spencer Low, showing how an attacker could overlay a transparent IFrame over a trusted page and capture clicks intended for it. The victim site was...

A straightforward pattern that turned out to be surprisingly reliable: cache a reference to an IFrame's window, destroy the IFrame by replacing its HTML, then call any window method through the...

HTC (HTML Component) behaviors in IE gave elements a secondary document context. I found that if an opener window held a reference to an HTC element's document and then reloaded that document,...

This was an EXPLOITABLE-rated crash in IE8. An HTML Object element contained an inner document with its own IFrame, and caching a reference to the nested window's open method before destroying the...

While poking at how IE handled documents inside Flash-embedded iFrames, I noticed that grabbing a pointer to the document before navigating away kept some very lively references around. Setting a...

Saving a pointer to the Document of an iframe that contains a Flash file, and then closing the window that hosted it, crashes IE7 and IE8 in Protected Mode. The crash lands in Flash itself...

A penetration test of Silverlight 4 uncovered a cluster of serious issues in the WebBrowser control (WebOC) that Silverlight exposed to web content. These ranged from cross-origin script injection to...

A collection of proof-of-concept findings from the first Silverlight 4 security assessment. The compiled SL4_PoCs.xap contains the Silverlight-side code; the HTML files demonstrate three distinct...

The IE Feeds WebBrowser control generates a nested iframe when rendering feed content. The open method of that inner iframe is not properly sandboxed — it can load local files. Calling...

Loading a non-HTML file (XML feeds, XAML, XPS, SWF, etc.) inside an iframe that lives inside an OBJECT element inside a createPopup() popup, and then navigating that iframe via window.open, crashes...

Loading a binary file (exe, zip, etc.) inside an OBJECT element and then reloading its contents via parentWindow.location.reload() crashes IE8 with a PROBABLY_EXPLOITABLE write near NULL in...

Loading a XAML file that contains an iframe pointing to another XAML file causes a crash in the WPF rendering pipeline.

Loading feeds XML in an iframe causes IE to render it in a special WebBrowser control. Clicking a feed title loads a regular HTML page inside that WebBrowser. Saving a reference to window.open from...

A security assessment of WPF 4 Beta 2 browser-hosted applications. The findings are archived in the wpf4_pentest.zip file. This was part of ongoing XBAP/WPF security work during the WPF 4 pre-release...

The pop-up blocker normally allows exactly one window per user interaction. This bypass opens multiple windows from a single click by: (1) freezing the original click event using a modal dialog, and...

Loading an HTML page inside a XAML Frame element (which IE wraps in an auto-generated OBJECT tag), then destroying that OBJECT tag while keeping the inner HTML page alive, allows the script in the...

Loading an RSS/Atom feed inside an iframe and pressing F12 to open IE8 Developer Tools triggers an access violation in iedvtool!CDOMNodeContainer::LoadChildDocument+0x178. The crash reads from...

The WMPlayer.ocx ActiveX object's network.sourceProtocol property reveals whether a local file path exists and is loadable. Setting wmp.URL to a local path and checking sourceProtocol after a short...

While exploring the frozen-event technique, I discovered that IE fires undocumented event types when certain dialogs open. The event object during an alert() has type "showmessage" and exposes...

Any page can change IE's optical zoom level — and the setting persists across restarts — using ExecWB with OLECMDID_OPTICAL_ZOOM. This can be done from inside an iframe and affects every new tab and...

When an iframe shows a context menu or modal dialog, it freezes — and the event that caused the freeze is also frozen. At that exact moment, the cached event object of the parent window gets replaced...