Browser Experiments

A collection of browser experiments from 2006 to present. Security vulnerabilities documented here are historical findings — all patched long ago. Other experiments may still work, and that is often the point.

UXSS / SOP Bypass (109)
DateExperiment
May 2017 SOP bypass / UXSS - Stealing Credentials Pretty Fast (Edge)
Apr 2017 SOP bypass / UXSS - Tweeting like Charles Darwin (Edge)
Apr 2017 SOP bypass courtesy of the reading mode (Edge)
Mar 2017 SOP bypass / UXSS - More Adventures in a Domainless World (IE)
Feb 2017 SOP bypass / UXSS htmlFile in IFrame (IE)
Dec 2016 SOP bypass / UXSS - Adventures in a Domainless World (Edge)
Sep 2016 Workers SOP Bypass importScripts and baseHref (Edge/IE)
May 2014 UXSS: Injected iFrame + Server Redirect + javascript: Location
Apr 2014 UXSS: htmlFile ActiveX + about:blank Meta-Refresh + Link Click
Mar 2014 UXSS: X-Content-Security-Policy Sandbox + Cached window.open + xml Script Tag
Feb 2014 UXSS: iFrame javascript: URI Executes in base href Origin
Feb 2014 UXSS: New Window javascript: URI Executes in base href Origin
Dec 2013 UXSS: Free Code Execution in the res:// Domain via InsertImage
Dec 2013 UXSS via iFrame document Cached in modelessDialog returnValue
Nov 2013 UXSS via XSLT Script and Base Href Origin Confusion
Nov 2013 UXSS on IE11: Domainless about:blank Full Cross-Origin Access
Oct 2013 UXSS via Cached External Object in modelessDialog
Sep 2013 UXSS via Domainless about:blank and htmlFile ActiveX
Jul 2013 F12 DevTools DOM Explorer UXSS via Select Element
Mar 2013 UXSS via Cached createRangeCollection After Redirect
Mar 2013 UXSS via iFrame getSelection After Redirect
Mar 2013 UXSS via createRange Duplicate and Function Constructor
Mar 2013 UXSS via Known Named Element in Cached Forms Collection
Mar 2013 UXSS via iFrame Redirect and location javascript Protocol
Mar 2013 IE11 UXSS via replaceState Spoof and New Window
Mar 2013 UXSS via Cached DOMParser Instance After Redirect
Feb 2013 UXSS via Cached childNodes and Web Worker — IE10/IE11 Variant
Feb 2013 IE10 UXSS: Sandbox Headers Paradox
Oct 2012 IE10 UXSS via Injected JavaScript Link
Aug 2012 IE10 UXSS via Cached childNodes and New Thread
Jul 2012 IE10 UXSS via Cached document.all and New Thread
Jun 2012 IE10 UXSS: New Window pushState + designMode + Back Button Gives Cross-Origin DOM Access
Jun 2012 IE10 UXSS: Sandbox Paradox — javascript: URL in Sandboxed iframe Gives Cross-Origin DOM Access
May 2012 IE10 UXSS: pushState + Redirect + history.back() Retains Cross-Origin DOM Access
May 2012 UXSS: Meta-Refresh to about:blank Inherits Parent Domain Instead of iframe Domain
May 2012 IE10 UXSS: Caching document.all from New Window Before Server Redirect
Feb 2012 IE10 UXSS: XMLHTTP in Redirected iframe with designMode Accesses Cross-Origin Content
Feb 2012 IE10 UXSS: createPopup document.write in Redirected iframe Changes Popup Origin
Jan 2012 UXSS: Caching Modal External Object and Sharing document via returnValue
Dec 2011 IE10 UXSS: Caching document.all Collection Survives Server Redirect
Dec 2011 IE10 UXSS: Caching Window Reference via HTC in Math Object Survives Redirect
Dec 2011 IE10 UXSS: Cached XHR Object Retains Cross-Origin Access After Redirect
Dec 2011 IE10 UXSS: Blob URL Entropy Is Low Enough to Brute-Force Cross-Origin Image Data
Jul 2011 UXSS: VBScript Error Bubbles Up to Expose Cross-Origin Constructor
Jun 2011 UXSS: Mixing Document Mode Across Tridents Using MHT
May 2011 UXSS: Caching the ActiveXObject Constructor Across a Redirect
May 2011 Pseudo-UXSS: external.returnValue Shared Across Domains in Modal Dialogs
May 2011 UXSS: createElement Cached Reference Survives Redirect
Apr 2011 UXSS: Cached document.styleSheets and document.selection Survive Redirect
Feb 2011 IE9 UXSS: Resident createPopup Function Call
Jan 2011 IE9 UXSS: Generate Error to Grab the Error Handler's Caller Function
Dec 2010 IE9 UXSS: window.open Redirect with setTimeout Code Execution
Nov 2010 IE9 UXSS: Location.prototype.replace Intercepts Cross-Origin Frame-Breaking
Nov 2010 Drag-Drop UXSS Attempt (Unfinished)
Oct 2010 IE9 UXSS: Generate an Error in an IFrame and Grab the Exception Object
Oct 2010 IE9 UXSS: Window Members Set in onunload Persist Across Cross-Origin Navigation
Sep 2010 IE9 UXSS: location.replace with javascript: URL Bypasses Protocol Safety
Sep 2010 IE9 UXSS: Free Access to Non-HTML IFrame Content from Inline Events
Sep 2010 IE9 UXSS: location Object Called as a Function Bypasses javascript: Protocol Safety
Sep 2010 UXSS: Cached childNodes Collection Survives Cross-Origin Redirect
Sep 2010 IE9 UXSS: Object.defineProperty Intercepts Cross-Origin Navigation
Aug 2010 IE9 UXSS: Reading Non-HTML IFrame Content from an Inline Event Handler
Aug 2010 IE9 UXSS: Getting Function Constructor from a Cached location.replace
Aug 2010 IE9 UXSS: Overriding Window Methods or Getting Function via Constructor
Aug 2010 IE9 UXSS: document.execCommand InsertImage Injects into Cross-Origin IFrame
Jul 2010 IE9 UXSS: Accessing Cross-Origin Content via window.self
Jun 2010 IE9 UXSS: Classic Window Object Caching After Cross-Origin Redirect
Jun 2010 IE9 UXSS: htmlFile ActiveX Object Double-Reload Redirect
May 2010 UXSS: Cached Constructor Object Survives Cross-Origin Redirect
Apr 2010 UXSS: InsertImage and CreateLink execCommand Bypass Same-Origin Policy
Apr 2010 UXSS via Silverlight enableHtmlAccess
Feb 2010 UXSS: Overriding a Trident Method on an IFrame Before Redirect
Jan 2010 UXSS: Cached document.all Collection Survives Cross-Origin Redirect
Jan 2010 Pseudo-UXSS via Multipart MHTML IFrame
Dec 2009 UXSS: Flash getURL Executes in Parent Context via HTML Object
Jul 2009 UXSS via Frozen IFrame Cached Event
May 2009 UXSS via Silverlight Cached Method InvokeSelf
Mar 2009 UXSS — IE8 defineProperty Accessor Survives Cross-Origin Redirect
Mar 2009 Pseudo-UXSS — Injecting Variables into a Cross-Origin Window via Delayed Redirect
Feb 2009 UXSS via offsetParent as frameElement
Feb 2009 UXSS via setCapture and offsetParent (Superseded)
Nov 2008 UXSS via CreateLink execCommand Across Origins
Nov 2008 UXSS via InsertImage execCommand Across Origins
Feb 2008 UXSS via Silverlight onLoad Argument Bypassing Cross-Origin Check
Oct 2007 UXSS Simplification (WOOBR 977211): Cached SWF Document Without Reload
Oct 2007 UXSS (SOP Bypass Attempt): IE 5.5 document.URL Set to about: Script
Oct 2007 UXSS via XAML Frame: document.URL about: Script Injection
Sep 2007 UXSS: IE7 + Flash 9 getURL GET Method Allows Cross-Origin Script Injection
Sep 2007 UXSS Using Flash getURL POST Method
May 2007 UXSS Variation: Cached window.open with setCapture Across All Pages
Apr 2007 UXSS via Cached Non-HTML Document and Page Reload
Apr 2007 UXSS - Cached contentWindow frameElement
Apr 2007 UXSS - HTC setCapture Variation - Case 6445
Apr 2007 UXSS - SWF frameElement
Apr 2007 UXSS - XAML frameElement
Apr 2007 UXSS - XML Feeds frameElement
Apr 2007 UXSS - MHT frameElement
Apr 2007 UXSS - Masked WebBrowser Control Cached Window
Mar 2007 IE7 UXSS - Read Local Files and URLs Through Feeds
Feb 2007 userControl Cached Document UXSS
Feb 2007 UXSS - Navigator Shared Properties and Methods
Jan 2007 UXSS Using Excel Control
Jan 2007 UXSS - Pseudo Cross-Domain Scriptlet Component
Jan 2007 UXSS Using Just htmlFile
Dec 2006 Address Bar Spoof IE7 - UXSS Needed
Nov 2006 UXSS - Pseudo Cross-Domain
Nov 2006 UXSS Using BaseHref Redirect and createPopup
Oct 2006 mHTML URL Spoof - ReadFile - UXSS
Feb 2006 UXSS via OBJECT + createPopup + IFRAME (MSRC 6417)
DoS / Crash (107)
DateExperiment
Feb 2014 DoS: execCommand EditMode from HTC Behavior File
Feb 2014 DoS: WMP Object Inside createPopup, Hidden Immediately
Feb 2014 DoS: Windows Media Player launchURL from Cross-Origin iFrame
Jan 2014 DoS: Accessing Cached Element Collection After Page Redirect
Nov 2013 DoS: document.open/close on createHTMLDocument or XHR Response Document
Oct 2013 DoS: Accessing Destroyed Intl Object After iFrame Navigation
Oct 2013 DoS: Loading MHTML Protocol URL in an iFrame
Oct 2013 DoS: modelessDialog Redirect with Simultaneous Alert
Oct 2013 DoS: Loading an MP3 Inside a Sandboxed iFrame
Oct 2013 DoS: designMode + document.open from iFrame Crashes Browser
Oct 2013 DoS: Loading Any URL via the MHTML Protocol Handler
Oct 2013 DoS: Opening and Immediately Closing an RSS Feed Window
Sep 2013 DoS: createPopup screenLeft Null Pointer
Aug 2013 DoS: execCommand CreateLink on Mixed-Style Selection
Aug 2013 DoS: window.open on a Closed Window
Mar 2013 DoS via CSS Expression Error Loop
Mar 2013 DoS Crash: ondragstart with document.open in Input Box
Feb 2013 IE11 DoS via window.URL.createObjectURL
May 2012 IE10 DoS: Cached document.links Collection After Redirect Crashes in jscript9 CrossSite Marshal
May 2012 IE10 DoS: pushState to mhtml: URL Then window.open Crashes in urlmon StrCmpCW
Apr 2012 IE10 DoS: msSetPointerCapture on Destroyed Element Crashes on Scrollbar Mouseover
Mar 2012 IE10 DoS: Script Element Appended to createHTMLDocument Crashes Browser
Feb 2012 IE10 DoS: Loading HTC Behavior from Blob URL via Server Redirect Crashes Browser
Feb 2012 IE10 DoS: Blob URL in showModalDialog Creates Invisible Modal That Locks the Browser
Dec 2011 IE10 DoS: Injected iFrame Redirect + Calling Non-Existent Method Triggers Stack Buffer Overrun
Dec 2011 IE10 DoS: createPopup setInterval Crashes Browser After Redirect
Dec 2011 IE10 DoS: Web Worker Sending XHR to a Blob URL Crashes the Browser
Dec 2011 IE10 DoS: document.normalize() Crashes the Browser
Nov 2011 DoS: Serving Different MIME Types to PresentationHost Crashes XBAP Loading
Nov 2011 DoS: Setting designMode on a Non-HTML Window Crashes the Browser
Nov 2011 IE10 DoS: Setting designMode in an HTC Behavior Crashes Browser
Oct 2011 IE10 DoS: Calling document.open/close on Keypress in a Textarea Crashes Browser
Sep 2011 IE10 DoS: AppCache Fallback with Auto-Refresh Crashes the Browser
Aug 2011 IE9 DoS: createPopup with Plugin Crashes on iFrame Navigation
Jul 2011 DoS: Loading an HTC Behavior on a createHTMLDocument Element Crashes IE
Jul 2011 IE10 DoS: Dragging XML Content Crashes the Browser
Jun 2011 DoS: Silverlight Content Object Cached Across Page Reload
Jun 2011 IE9 DoS: Executing a Script in a Cached HTC Document After It Is Destroyed
May 2011 IE9 Crash: Resizing a createPopup Belonging to a Dead IFrame
Mar 2011 IE9 DoS: Object.defineProperty Crashes the Properties Dialog
Jan 2011 IE9 DoS: parent.document.open from an iFrame
Jan 2011 IE9 DoS: Executing a Method on a Closed Window
Dec 2010 IE9 DoS: document.open on a New Trident Instance
Dec 2010 IE9 DoS: xEval on Any Document Method
Nov 2010 IE9 Crash (Deadcall): appendChild on a Dead createDocumentFragment
Nov 2010 IE9 Crash (Deadcall): Calling show() of a Dead createPopup via Function.call
Nov 2010 IE9 Crash (Deadcall): cloneRange on a Dead Range
Nov 2010 IE9 Crash (Deadcall): toString on a Dead Selection Range
Nov 2010 IE9 Crash: D3D VMware Driver Fault on Window Open and Navigate
Nov 2010 IE9 Crash: Enumerating Properties of a Non-HTML Object Element
Sep 2010 IE9 Crash: Calling document.open on a createPopup Document
Aug 2010 IE9 Crash: Getting the Function Object from a Cached Document Method
Jul 2010 IE9 Crash: XML Script Tag Written into an IFrame
Jul 2010 IE9 Crash: Accessing SVG viewport Property from DOMParser
Jul 2010 IE9 Crash: Inline document.write with createPopup in setInterval
Jul 2010 IE9 Crash: Accessing Opener Window Object Repeatedly from Modeless Dialog
Jun 2010 IE9 Crash: Window Method Cached Inside a Native JScript Object
Jun 2010 IE Crash: Calling a Nulled Window Method in a Modeless Dialog
Jun 2010 IE9 Crash: Accessing onmessage from a Modeless Dialog
May 2010 IE9 Crash: Reloading an IFrame After Destroying It
May 2010 IE9 Crash: Accessing a Document After Its IFrame Is Destroyed
May 2010 IE9 Crash: Using a Selection Range After Window Reload
May 2010 IE9 Crash: A Lone SVG Tag
Feb 2010 IE Crash: Access Violation When Viewing Source of a 60 MB HTML Comment
Dec 2009 IE Crash: Resizing a createPopup After Its Window Is Gone
Dec 2009 IE Crash: createPopup Hide-and-Seek During Navigation
Nov 2009 IE Crash: Calling Window Methods After Destroying an IFrame
Nov 2009 IE8 Crash: Accessing an HTC Document After Reload
Nov 2009 IE8 Crash: Cached Window Methods from an HTML Object's IFrame
Oct 2009 IE DoS — Destroy Cached Flash IFrame Document
Oct 2009 IE8 DoS — Non-HTML Content Opened in createPopup OBJECT
Sep 2009 IE8 DoS — Reload Binary File in OBJECT Element
Sep 2009 DoS — XAML Nested in XAML via IFrame
Sep 2009 IE DoS — Cached window.open from Feeds IFrame Context
Jul 2009 IE8 DoS — Access Violation in DevTools with Framed Feeds
Jun 2009 Silverlight 3 DoS — Uncaught Exception in CallMethod
Jun 2009 IE DoS — dataTransfer.setData with Invalid URL
May 2009 IE8 DoS — Cached Image Constructor After Iframe Reload
May 2009 Silverlight 3 DoS — Destroy Control While Update Dialog Is Open
May 2009 Silverlight 3 DoS — Destroy Object During Install Dialog
Apr 2009 IE8 DoS — XAML insertObject Crash
Mar 2009 IE8 DoS — Prototype Property Crash on Properties Dialog
Mar 2009 DoS — X-Frame-Options Reload Crash
Feb 2009 DoS — X-Frame-Options Location Navigation Crash
Feb 2009 DoS — htmlFile with Invalid Protocol and WMP launchURL
Dec 2008 DoS: Reusing a Cached window.open Reference After Navigation
Dec 2008 IE8 DoS — Feeds XML Inside Iframe with Nested Iframe
Nov 2008 IE7 DoS via ExecWB OLECMDID_GETZOOMRANGE Missing Argument
Oct 2008 DoS: IE8 Crashes via createPopup and SCRIPT DEFER
Sep 2008 DoS: IE7 Crashes When Writing Flash via innerHTML on ONKEYPRESS
Aug 2008 DoS: IE8 Crashes When Viewing Properties After Prototype Modification
Feb 2008 DoS: Silverlight Crash via Enumerator on userControl
Feb 2008 DoS: Silverlight Crash via innerHTML on Its Container
Oct 2007 DoS: IE7 Crash via Cached SWF Document and res:// Protocol Navigation
Sep 2007 DoS: createPopup Chain with Windows Media Player innerHTML
May 2007 DoS - Frozen IE - userControl Run Two Forms
May 2007 DoS: Cached Non-HTML Document Reloaded Twice
Apr 2007 DoS - IE7 Close Browser via Enumerator Application
Apr 2007 DoS - HTC Cached Document
Apr 2007 DoS - WPFE Cached OnError Handler
Apr 2007 DoS - IE7 Dead IFRAME Access
Apr 2007 DoS - designMode DTD XHTML
Mar 2007 DoS - IE7 onBeforeUnload document.write
Feb 2007 DoS - IE7 Cached Methods from Window Object
Feb 2007 DoS - document.execCommand SaveAs
Feb 2007 DoS - IE7 Close Window No Prompts
Feb 2007 DoS - htmlFile Blank Object Eval Stress CPU
Resident Scripts (35)
DateExperiment
Feb 2017 The Attack of the Alerts and the Zombie Script (IE)
Apr 2014 Resident Script Execution via Cached iFrame window.open
Apr 2014 Resident Script Execution via HTML Object Element and createPopup
Nov 2013 Persistent Keylogger via Resident createPopup
Nov 2013 Resident Script via htmlFile ActiveXObject in New Tab
Nov 2013 Resident Script via Web Worker Spawned in onpagehide
Sep 2013 Resident Script via HTML Object External Reference
Aug 2013 Resident Script Execution via onpagehide
Aug 2013 Resident Plugin Execution via Background Navigation Caching
Aug 2013 Resident Script Execution via onbeforeunload/onunload
Mar 2013 Resident Script via createElement Object Self-Pointer
Feb 2013 IE10 Resident Script via Cached iFrame window.open
Sep 2012 IE10 Resident Script via ActiveX htmlFile
Apr 2011 Resident Cached createPopup Document Survives Redirect
Feb 2011 IE9: Resident createPopup Persists After the Browser Is Closed
Oct 2010 IE9: Staying Resident and Capturing Keystrokes via Zombie IFrame and createPopup
Dec 2009 Staying Resident via a Destroyed HTML Object
Nov 2009 Staying Resident via a Cached Flash IFrame Document
Aug 2009 Resident Script via XAML Frame — Destroy the Object Tag
May 2009 Resident Script via Cached IFrame open Method
Apr 2009 IE Resident Script via createElement OBJECT Self-Reference
Mar 2009 Resident Script via Self-Pointing htmlFile
Mar 2009 Resident Script via WebSlice XAML Frame
Nov 2008 IE8 Resident Script via Cached execScript (WinOOB 1004580)
Jul 2008 IE8 Resident Script via Cached execScript and htmlFile
May 2008 Safari Resident Script: onunload Navigation Interception and Banner Hijacking
Apr 2008 BlueHat Demos: Resident Scripts, Banner Hijacking, UXSS, and Ghost
Apr 2008 Kevin's XML Resident Script POC
Apr 2008 IE7 Resident - opener, createElement, OBJECT
Jul 2007 Resident Script via Cached execScript from an Iframe
May 2007 Resident Script via Cached window.open from an Iframe
Dec 2006 Resident with Just htmlFile
Nov 2006 Resident - Thank You for Being There, Mr. IFRAME
Nov 2006 Resident Again
Feb 2006 Lazarus Resurrection — Resident Script via IFRAME + window.opener (MSRC 6427)
Popup Blocker Bypass (14)
DateExperiment
Mar 2014 Pop-up Blocker Bypass via Local base href
Dec 2013 Pop-up Blocker Bypass via iFrame htmlFile ActiveX Chain
Sep 2013 Pop-up Blocker Bypass via htmlFile ActiveX in createPopup
Mar 2013 Popup Blocker Bypass via Nested ActiveX htmlFile
Aug 2011 MSRC 11355 Patch Bypass via createPopup on Destroyed iFrame
Apr 2011 WMP Popup Blocker Bypass via scriptcommand in WMV or launchURL
Aug 2009 Pop-up Blocker Bypass via Frozen Event and Document Destroy
Jun 2009 Pop-up Blocker Bypass via Windows Media Player 12
Apr 2008 Popup Bypass Using WMP
Jan 2007 Popup Bypass Using createPopup and Object
Nov 2006 Full Popup Bypass Using htmlFile Control IE6 and IE7
Nov 2006 Popup Bypass Using WebBrowser Control
Nov 2006 ActiveX Popup Bypass
Feb 2006 createPopup Outside Browser Limits (MSRC 6435)
Address Bar Spoofing (38)
DateExperiment
Sep 2017 Revealing the content of the address bar (IE)
Mar 2017 Referrer spoofing with iframe injection (Edge)
Mar 2017 Bypassing the patch to keep spoofing the Smartscreen/Malware warning (Edge)
Dec 2016 Spoofing the address bar and the SmartScreen/Malware Warning (Edge)
Sep 2016 Referer spoofing and defeating the XSS filter (Edge/IE)
Nov 2014 Capturing Address Bar Input via createPopup and onbeforeunload
May 2014 Spoofing the User's Saved Webpage via pushState + Server Redirect
Feb 2014 Spoofing the Info Bar Pop-up Origin via base href
Feb 2014 Spoofing the Blocked Pop-up Origin via WebBrowser Navigate
Nov 2013 Referrer Spoof via Server Redirect and Cached Location Object
Sep 2013 createPopup Overlay Spoof Across Tabs
Sep 2013 Address Bar Spoof via Non-Responding URL
Apr 2013 Windows 8 App Address Bar Spoof via eval Override (QQ)
Apr 2013 Address Bar Spoof via Mixed Document Modes and history.pushState
Mar 2013 Address Bar Spoof via prompt and document.write
Feb 2013 Address Bar Spoof via New Window Reload
Jan 2013 IE10 Address Bar Spoof via onreadystatechange and document.write
Dec 2012 MHTML Spoof via setCapture Event Hijacking
Aug 2012 IE10 Metro: Modal Window Domain Hidden by Solid Background
Jul 2012 IE10 Address Bar Spoof via history.replaceState
May 2012 IE10 Metro: Back Gesture Can Be Spoofed with Oversized Scrollable Div and iframe
May 2012 IE10 Metro: Page Reload with Server Redirect Does Not Show Address Bar
May 2012 IE10: Content and Address Bar Spoof via onunload Sync XMLHttpRequest Freeze
Mar 2012 IE10: Referrer Spoofing via history.replaceState + Server Redirect + Reload
Nov 2011 Address Bar Spoof via Redirect, iFrame Hijack, and document.write
Sep 2011 IE10 Address Bar Spoof via history.pushState and Reload
Jul 2011 XSS Filter Bypass by Spoofing the Referrer on Reload
Feb 2011 IE9: InfoBar URL Spoofing via Navigate2
Jan 2011 IE9: setCapture Through Tabs Enables UI Spoofing
Jul 2010 IE9 Referrer Spoofing Enables XSS Filter Bypass
Jul 2010 IE9 InfoBar Domain Spoofing via Repeated window.open Calls
Jan 2010 IE Address Bar Spoofing via Unload, Stop, and Reload
Feb 2009 Address Bar Spoofing and About:Tabs Exploitation via res:// Domain
Aug 2008 IE8 Compatibility View Redirect Address Bar Spoof
Aug 2007 URL Spoofing via onbeforeunload — Vista-Compatible Variant
Aug 2007 URL Spoofing via onbeforeunload and history.go(0)
Feb 2007 HHControl Screen Spoof IE6
Dec 2006 Address Bar Spoof IE6
Sandbox Bypass (24)
DateExperiment
Mar 2017 Defeating the popUp blocker, the XSS filter and SuperNavigate with our fake ticket to the Intranet Zone (Edge)
Feb 2014 base href file:// Bypasses IE Protected Mode Integrity Level
Nov 2013 IE11 Sandbox Bypass via Accelerator URLs
Oct 2013 IE11 Sandbox Too Tight: Pop-up Inherits Sandbox Restrictions
May 2013 IE11 Sandbox Bypass via New Link in allow-popups iFrame
Mar 2013 Sandbox Bypass via external.NavigateAndFind on a Sandboxed Window
Aug 2012 IE10 Protected Mode Escape via XBAP File Handler
Jul 2012 IE10 Sandbox Bypass via Default Search URL
Jul 2012 IE10 Sandbox Bypass via New Window Write-Back
Jul 2012 IE10 Sandbox Bypass via Meta Set-Cookie
Jun 2012 IE10 Sandbox Bypass: Any DoS That Crashes a Sandboxed Tab Causes Reload Without Sandbox
Jun 2012 IE10 Sandbox Bypass: Invalid Server Redirect URL Loads Error Page Outside Sandbox
Jun 2012 IE10 Sandbox Bypass: Triggering a Download and Going Back Removes Sandbox Flags
Jun 2012 IE10 Sandbox Bypass: Flash getURL with javascript: Target Reaches Sandboxed Window
May 2012 IE10 Metro: Loading mhtml from Sandboxed iframe Breaks Out to Top Window Without Showing Address Bar
Nov 2011 Protected Mode Bypass via vsjitdebugger.exe Accepting Binary Arguments
Sep 2011 IE10 Sandbox Bypass via Non-HTML Navigation and history.back()
Sep 2011 IE10 Sandbox Bypass via New Window opener.parent location with JavaScript
Sep 2011 IE10 Sandbox Bypass: Navigating the Parent URL via History Methods
Jul 2011 IE10 Sandbox Bypass via Flash GetURL with JavaScript Protocol
Jul 2011 IE10 Sandbox Bypass via Windows Media Player launchURL
Jul 2011 IE10 Sandbox Bypass via navigate.call(parent) with JavaScript Protocol
Jul 2011 IE10 Sandbox Bypass via SVG JavaScript xLink
Jun 2011 IE10 Sandbox Bypass Using a Window as a Bridge
EoP / RCE (34)
DateExperiment
Jan 2014 EoP: PROBABLY_EXPLOITABLE Crash via Rapid RSS/HTML iFrame Switching
Oct 2013 EoP: Crash Changing iFrame URL from RSS Feed
Jun 2013 F12 Developer Tools: RCE via addEventListener Override
Apr 2013 Probably Exploitable Crash: getOwnPropertyNames on Destroyed iFrame
Mar 2013 Exploitable Crash via Cached Image Collection Access by Index
Feb 2013 Exploitable Crash via Cached Element Collection After Redirect
Jun 2012 IE10 EoP: Enumerating New Window Object During Redirect is EXPLOITABLE
Mar 2012 EoP: Flash innerHTML Random Crash is PROBABLY_EXPLOITABLE
Feb 2012 IE10 EoP: history.pushState Redirect to Blob URL then Reload is EXPLOITABLE
Feb 2012 IE10 EoP: Invalid Content-Type on Blob URL Server Redirect is PROBABLY_EXPLOITABLE
Feb 2012 IE10 EoP: window.open in Destroyed iframe Triggers EXPLOITABLE DEP Violation
Dec 2011 IE10 EoP: htmlFile ActiveX Reload + setTimeout document.open/close is PROBABLY_EXPLOITABLE
Nov 2011 IE8 EoP: Framed Cross-Domain Flash GetURL Triggers Exploitable Crash on Reload
Sep 2011 IE10 EoP: Calling scroll Methods on Behalf of Another Window Crashes Browser
Jul 2011 EoP/RCE: Arbitrary Code Execution via InsertImage Internal Dialog
May 2011 IE9 EoP: Crashing the Browser by Resizing a Persistent createPopup
May 2011 EoP: Destroying an htmlFile Reference While Its Trident Is Refreshing
Apr 2011 EoP: Windows Media Player launchURL Crash via Intentional Failure
Mar 2011 IE9 EoP: Arbitrary Code Execution via Internal InsertImage Dialog
Mar 2011 IE9 EoP: Execute Window Method After the Page Has Navigated Away
Mar 2011 IE9 EoP: Execute Window Method After Page Has Gone (Variant)
Jan 2011 IE9 EoP: iFrame innerHTML Self-Destruction
Jan 2011 IE9 EoP: Iterating an iFrame URL Between Feeds and HTML
Dec 2010 IE9 EoP: document.open While the Browser Is Frozen by a Dialog
Aug 2010 IE9 RCE: Intercepting Internal Dialogs via Object.defineProperty
Mar 2010 CFD SharePoint: Remote Code Execution via WebOC Navigate2
Mar 2010 IE Crash: View Source Crash with a 70 MB HTML File
Oct 2009 Silverlight 4 WebOC: RCE, UXSS, Referrer Forgery, and More
May 2009 Silverlight 3 DoS — Source Change on FullScreenChanged Event
May 2009 Silverlight 3 DoS — SplashScreenSource Null Pointer Dereference
Feb 2009 RCE via Windows Desktop Search
Dec 2008 IE8 RCE via About Dialog _unspecifiedFrame (IE8 Variation)
Nov 2008 IE7 RCE via About Dialog _unspecifiedFrame
Oct 2007 Vista RCE via XAML Frame + ExecWB PrintPreview
Info Disclosure (14)
DateExperiment
Nov 2024 Detecting Chrome Extensions Without Console Noise
Apr 2017 Detecting Installed Extensions (Edge)
Oct 2016 Detecting Local Files to Evade Analysts (IE)
Sep 2016 Detecting analysts before installing the malware (IE)
Sep 2016 CSS History Leak or "I know where you've been" (Edge)
Aug 2016 Grabbing data from Inputs and Textareas (Edge/IE)
Jan 2010 IE Information Disclosure: Detecting Local Files via Link Behavior Errors
Oct 2009 Load Local Files via Feeds IFrame open Method
Jul 2009 Windows Media Player — Check If Local File Exists
Jun 2009 Mark-of-the-Web + Flash XML to Read Local Files
Oct 2007 PDF Plugin: Loading Local Files via file:// Protocol Link
Oct 2007 XAML Frame: Checking Local File Existence via Script Tag src
Sep 2007 Flash Plugin: Checking Whether a Local File Exists via readyState
Sep 2007 IE6: Checking Whether a Local File Exists via Dashboard ActiveX
Misc (134)
DateExperiment
Jun 2024 Building a High-Resolution Timer from WebAssembly.Memory
Nov 2016 Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox and Open Popups (Edge)
Nov 2016 Bypassing Mixed Content Warnings - Loading Insecure Content in Secure Pages (Edge/IE)
May 2014 Persistent Browser Zoom-Out via ExecWB OLECMDID_OPTICAL_ZOOM
Apr 2014 mhtml: Protocol Loads Local Zip Files Without Warnings
Feb 2014 Content Injection on Sites with Named iFrames via Flash GetURL
Dec 2013 typeof Checks Cross-Origin Variable Existence via 'unknown' Return Value
Dec 2013 DocMode 8: Checking Cross-Origin Variable Existence via ACCESS_DENIED
Dec 2013 Clickjacking via createPopup and setCapture
Sep 2013 Dialog Spoof Across Tabs via Back Navigation
Sep 2013 Browser Window Close via onbeforeunload Location Race
Aug 2013 BlueHat Challenges for BlackHat
Aug 2013 F12 DevTools Memory Panel Elevation of Privilege
Aug 2013 F12 DevTools selectorText.split Elevation of Privilege
Jul 2013 F12 DevTools querySelectorAll Elevation of Privilege
Jun 2013 MSRC Variations Collection
May 2013 Windows 8 Managed Apps Penetration Test
Apr 2013 Windows 8 App Security Review: 4 Additional Vulnerable Apps (April)
Apr 2013 Windows 8 App Security Review: 20 Vulnerable Apps (April)
Apr 2013 OpenSearch Preview Pane: Local File Read, Full-Screen Popup, and Clipboard Access
Mar 2013 Information Disclosure: Detecting Visited URLs via CSS Expression Error Count
Mar 2013 Information Disclosure: Real File Path via createRangeCollection
Mar 2013 Browser Freeze: Dragged Text Floats Over Everything
Mar 2013 Prompt Domain Bypass via about:blank iFrame
Jan 2013 VBScript Cross-Origin Variable Existence Detection and Error Injection
Dec 2012 IE10 on Windows Phone 8: designMode Disables Scripts Globally
Dec 2012 MHTML iFrame Keystroke Capture via setCapture
Nov 2012 Windows 8 App Security Issues
Oct 2012 MSN Explorer Security Issues
Oct 2012 IE10 Prompt Domain Information Bypass via MHTML
Oct 2012 Modern UI Mail Security Issues
Sep 2012 Persistent Keylogger via Embed HTML and createPopup
Aug 2012 IE10 Screen Not Updated After about:Tabs Navigation
Aug 2012 IE10 Access to Feeds Generated Page
Aug 2012 Persistent Modeless Window Surviving Navigation
Jun 2012 IE10: createDocument Documents Load External Content via video, audio, bgsound, and HTC Behavior
Jun 2012 IE10: mhtml: Protocol Bypasses file:// Restriction and Loads Local Mark-of-the-Web Files
May 2012 IE10: X-Frame-Options Header Bypassed via mhtml: Protocol in Sandboxed iframe
Apr 2012 IE10: msSetPointerCapture Allows iframe to Intercept Clicks Outside Its Bounds
Mar 2012 IE10: Rendering Almost Any File as HTML via pushState + Server Redirect + Reload
Feb 2012 IE10: Blob Image URLs Cross Sandbox Boundaries via postMessage
Feb 2012 IE10: Rendering HTML Blob Content via Server Redirect Bypasses Blob URL Restriction
Nov 2011 IE10 Sandbox HTTP Headers Bypass via Cached Document Object
Nov 2011 iframe security=restricted Bypass via New Window opener.setTimeout
Sep 2011 IE10 Sandbox: Unique Origin Allows parent.location JavaScript Navigation
Sep 2011 Persistent Keylogger via iFrame createPopup Survives Navigation
Aug 2011 Information Disclosure: Local Machine Name Shown in Blocked createPopup Infobar
Aug 2011 Silverlight 5 Security Findings: DoS, EoP, UXSS, and Persistence
Jul 2011 IE10 Sandbox Multiple Flags Bypass via createHTMLDocument
Jul 2011 TP58 Drag and Drop Cross-Origin Bypass
Jul 2011 IE10 Sandbox Multiple Flags Bypass via HTML Object Tag
Jul 2011 IE10 Sandbox allow-same-origin Bypass via XML Island
Jul 2011 IE10 Sandbox ms-allow-popups Bypass
Jul 2011 IE10 Workers Load Redirected URL (Cross-Origin)
Jun 2011 IE9: Bypassing iFrame security=restricted via XML Stylesheet
Jun 2011 X-Frame-Options Header Bypass via XML Stylesheet
Jun 2011 Drag-Jacking: Capturing Cross-Domain Data via a Drag-and-Drop Game
May 2011 IE9/IE10: History Sniffing via Copy-Paste Color Change
May 2011 IE9: Persistent createPopup Acts as a Keylogger Across Navigation
Apr 2011 IE8: User Style Sheet Bug Crashes on SELECT Element Expansion
Mar 2011 IE9: createPopup Inside a XAML Frame Covers the Entire Screen
Feb 2011 IE9: NavigateAndFind Opens Local Folders and Files Outside Protected Mode
Jan 2011 IE9: iFrame URL Inconsistency on Refresh After DOM Insertion
Dec 2010 IE9: Opening Alerts and Modeless Windows Attributed to a Different Tab
Nov 2010 IE9 Information Disclosure (Deadcall): Reading IFrame Location via toString
Nov 2010 IE9: Prompt and VBScript InputBox Not Blocked Without User Interaction
Oct 2010 IE9 Information Disclosure: Detecting When the XSS Filter Has Activated
Sep 2010 IE9 InfoBar Overlay via createPopup
Jul 2010 IE9 Zombie Audio Tag Survives Page Navigation
May 2010 IE9 XSS Filter Bypass via SCRIPT DEFER Attribute
Mar 2010 WebOC UXSS When FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE Is Not Set
Jan 2010 Four Chrome Bugs Found While Pentesting Silverlight
Dec 2009 IE Information Disclosure: Reading the Full Path from a File Input
Nov 2009 Clickjacking Demo for Spencer Low
Oct 2009 Silverlight 4 Pentest I
Aug 2009 WPF 4 Beta 2 Pentest
Jul 2009 IE Undocumented Events — showmessage, propertysheet, MenuExtUnknown
Jul 2009 IE8 Scripting Optical Zoom via ExecWB
Jun 2009 WPF/XBAP Pentest Findings
Jun 2009 XBAP Clipboard Hijacker
Jun 2009 XAML Hyperlink Cross-Origin Sub-Frame Navigation
Apr 2009 Flash getURL Cross-Origin Sub-Frame Navigation
Apr 2009 IE8 XSS Filter Bypass via Injected Referrer Link
Mar 2009 IE8 defineProperty Intercepts Internal Dialogs for Address Bar Spoofing
Feb 2009 IE8 X-Frame-Options Header Bypass
Dec 2008 Heap Spray Variations — ADO Object and Tabular Data Control
Nov 2008 IE8 WinOOB 1053535 Variation
Nov 2008 Overriding document Methods to Fool IE Internal Dialogs
Nov 2008 IE8 WinOOB 982379 — setCapture to Read WBControl Path
Nov 2008 IE8 WinOOB 1032522 — Flash GetURL with url: Protocol
Oct 2008 IE8 XSS Filter Bypass via META Redirect
Oct 2008 Sandbox LiveLabs: Script Execution, Freezers, and Style Parser Escapes
Sep 2008 MSRC 7930 Variation: Bypassing the October MSXML Patch via Redirect in DTD
Aug 2008 IE8 XSS Filter Bypass via Nested IFRAMEs
Aug 2008 IE8 url:file:// Patch Bypass with Extra Characters
Jul 2008 Silverlight 2 Beta Security Research
Jul 2008 6on6: A Personal Browser Security Issue Tracker
Jun 2008 postMessage Security Research Notes
Jun 2008 XMLHttpRequest Security Quirks: about:blank, Multiple Redirects, and responseXML Lifetime
Jun 2008 XSS in a Banking Application
Jun 2008 XAML Frame + url:file:// Combo for Local Zone Code Execution
Feb 2008 Popup Blocker Bypass via Silverlight's Delayed HtmlPage.Window.Eval
Dec 2007 Flash Loading a Remote SWF Without User Interaction
Nov 2007 ExecWB IDM_PRINTPREVIEW Opens a Door to Many Tricks
Nov 2007 XAML Frame + Hacked PDF = Pseudo Local Machine Zone
Oct 2007 IE7: Infinite Window Spawning via Cached SWF Document and res:// Hash
Oct 2007 XAML Frame: Loading Local Images via file:// Protocol
Oct 2007 XAML Frame Bypasses IE7 window.prompt Gold Bar Restriction
Sep 2007 MSRC 7571 Variation: Another Method to Run Remote Files
Apr 2007 XAML createPopup Full Screen
Apr 2007 XAML Frame Clipboard Read
Apr 2007 Navigating PIDL Using WebBrowser Control as IFRAME
Mar 2007 IE6 Clipboard Copy Paste No Prompts
Mar 2007 IFrame As WebBrowser - Close, Crash, Search
Mar 2007 createPopup Show on Unload
Mar 2007 Bypass GoldBar Downloading Files Flash getURL
Mar 2007 PseudoDoS - screen.updateInterval
Feb 2007 Overwrite Clipboard With Hosted Control
Feb 2007 Phishing Files - Needs User Interaction
Feb 2007 IE6 RefEdit Cut Phish GetFiles
Feb 2007 Case 6445 Variation
Jan 2007 Multiple Crashes
Jan 2007 StickyPop - CoverPop - Crash IE6
Jan 2007 Crash Using _unspecifiedFrame
Jan 2007 createPopup Check Parent Crash
Jan 2007 Nested XSL Crash
Jan 2007 Nested IFRAMEs Crash
Jan 2007 Nested Objects Crash
Jan 2007 INPUT TYPE File Click Crash
Dec 2006 WebBrowserControl Navigate Crash
Dec 2006 htmlFile Crash
Dec 2006 WebBrowser Control - Get IE Path and ShowBands
Dec 2006 WebBrowser Control Events
Feb 2006 Closing the Browser Without a Confirmation Prompt