Changing an HTC behavior's URL to cache its document, then changing it back, and then writing an innerHTML with a deferred script to the cached HTC document crashes IE. The size of the HTC file...

The same frameElement UXSS pattern works with a Flash SWF file as the bridge. Loading a SWF inside an IFRAME that redirects (via getURL) to a different-domain HTML page gives that HTML access to...

Loading a XAML file in an IFRAME and then clicking a hyperlink inside the XAML that targets a different-domain HTML page gives that HTML page access to frameElement. The XAML acts as an...

The same frameElement leak that works with XAML also works with an RSS/XML file. Loading an XML feed inside an IFRAME and clicking a link in it that points to a different-domain HTML page gives that...

An HTML page hosted inside a WPF/E XAML <Frame> can call createPopup() and show it with coordinates far outside the normal browser window bounds. The popup can cover the entire screen including areas...

An HTML page hosted inside a WPF/E XAML <Frame> element can read the clipboard without any prompt. The XAML hosting context apparently gives the embedded HTML a different trust level, or bypasses the...

Caching a WPF/E (Windows Presentation Foundation Everywhere — the early XAML browser plugin) Canvas node in window.opener, reloading the page, and then calling add() on the cached node causes the...

A resident createPopup that tries to access its creator IFRAME's parent after that IFRAME is gone (because the page reloaded without it) crashes IE7. If the second load happens to include other...

Enabling designMode on an IFRAME's document and then navigating the IFRAME to an XHTML file that contains a DOCTYPE declaration crashes IE. The designMode state apparently conflicts with XHTML's DTD...

Loading an .mht (MHTML archive) file inside an IFRAME from a different domain gives the MHT content access to frameElement — the IFRAME element in the parent page. From frameElement.ownerDocument,...

Because IFRAMEs expose the WebBrowser Control's Navigate2 method, a web page can use Navigate2 with a PIDL (shell folder identifier) to open special shell folders — like the user's Documents, Control...

Caching the Application property of an IFRAME before navigating it to a cross-origin URL gives unrestricted access to the cross-origin document. The Application property returns the top-level...

An IFRAME exposes a Document property (capital D) from its WebBrowser Control interface. When the IFRAME loads an RSS/XML file first, and then navigates to an arbitrary URL or local file path by...

Using an IFRAME as a WebBrowser Control, it's possible to call ExecWB(IDM_COPY, OLECMDEXECOPT_DONTPROMPTUSER) and ExecWB(IDM_PASTE, OLECMDEXECOPT_DONTPROMPTUSER) to copy and paste clipboard contents...

IFRAMEs in IE expose the same COM interface as the WebBrowser Control, which means they have methods like ExecWB and ShowBrowserBar. Calling ExecWB(2, 1) from an IFRAME closes all browser tabs...

A createPopup shown during the onunload event persists after the user navigates away. The popup stays visible on screen even though the page that created it is gone. It's a minor issue but shouldn't...

A Flash movie can trigger a file download using getURL("file.exe", "_top", "GET") without triggering IE's Information Bar (the "GoldBar" that warns about downloads). The download simply starts — no...

Calling document.write inside an onbeforeunload handler crashes IE7. The crash only happens when an IFRAME is present on the page and when the navigation is triggered by a setTimeout or by typing a...

Setting screen.updateInterval to a very large value prevents IE from repainting the window after navigation. The user can change URLs, but the browser won't visually update unless they scroll,...

A .NET user control hosted in IE can store a reference to an IFRAME's document object. After the IFRAME navigates to a different domain, the stored reference remains valid and bypasses all...

A hosted .NET control can write arbitrary text to the clipboard without triggering IE's security prompt, because Clipboard.SetDataObject is a .NET framework call that bypasses the browser's clipboard...

Caching a method from the window object (like window.moveTo) in window.opener, reloading the page, and then accessing window.opener crashes IE7 with an access violation. IE6 throws an "Access Denied"...

The navigator object is shared across all frames in the same browser process — it's the same object regardless of which domain's script is running. This means a cross-origin page can store a...

A variation of the clipboard phishing technique that works without the RefEdit ActiveX — instead it intercepts the oncopy event and temporarily swaps the text in the input field before the clipboard...

Calling document.execCommand("SaveAs") on the document of a createPopup or htmlFile ActiveX crashes IE. Both off-screen document containers lack the necessary hosting context for the Save As dialog,...

The Office XP RefEdit ActiveX control has a Cut method that writes to the clipboard without triggering IE's clipboard permission prompt. A page can use this to silently replace whatever text the user...

Two lines of script close the current IE7 browser window or tab without any confirmation prompt. The trick is calling window.open("","_self") first, which reassigns the window's navigation target to...

After playing around for a while with the original setCapture() UXSS technique (case #6445), I found that the fix didn't cover all variations. Instead of capturing events on the top window, this...

Running a specific two-line script through eval — but not directly — causes IE to consume 100% CPU indefinitely. The code creates an htmlFile ActiveX and calls createElement with an OBJECT tag...

The HTML Help control (hhControl) has a TextPopup method that displays a text popup over a specified screen area. By passing very large coordinates, a page can create a popup that covers the entire...

The Excel spreadsheet ActiveX control exposes a cells().hyperlink object that can be set to any URL — including javascript: URLs — and then followed programmatically. When followed from inside a...

The old Scriptlet Component ActiveX (CLSID AE24FDAE-03C6-11D1-8B76-0080C744F389) loads a URL and exposes its document in a way that bypasses same-origin restrictions. A page in a different domain...

A collection of four separate crash cases, found around the same time. Each one is a standalone reproducer.

I was playing around with the htmlFile ActiveX and found that by naming its internal window and then using window.open to navigate it to any URL, the parent page retains full DOM access to that...

This entry contains compiled artifacts (.zip archives of the PoC files). The techniques involved creating popups that "stick" to the screen or cover it even after navigation — exploiting IE6's...

Renaming an object window inside a dead htmlFile ActiveX to _unspecifiedFrame and then calling open() on it crashes IE. The name _unspecifiedFrame is apparently an internal sentinel value, and...

Creating a resident createPopup inside an IFRAME and then running a setInterval that checks parent causes an access violation after the user navigates away. The local var declaration inside the...

This combines the residency trick with the nested-object popup bypass. A createPopup made resident inside an IFRAME survives the IFRAME navigating away. After the navigation, an OBJECT...

An XSL stylesheet that calls transformNode on itself — by loading the same stylesheet recursively via an embedded script — causes a stack overflow in MSXML. The circular transformation reference...

Recursively nesting IFRAMEs by having each page write a new IFRAME pointing to itself eventually overflows the stack. A counter stored on top limits the recursion to 500 levels, after which a...

Loading an OBJECT TYPE="text/html" that points back to the same file (with an anti-cache query string) creates an infinite nesting of document objects, eventually overflowing the stack. It's IE's...

Programmatically calling .click() on an INPUT TYPE="FILE" element that lives inside a createPopup or htmlFile ActiveX crashes IE. The file picker dialog is designed to operate inside a real browser...

Calling the Navigate method on the Shell.Explorer ActiveX (created with new ActiveXObject("Shell.Explorer")) crashes IE. The control is initialized without a host window, and navigating it before it...

Accessing the bgColor property of a freshly created htmlFile ActiveX crashes IE. However, if any property on the ActiveX's parentWindow is set first — even a completely arbitrary one — the crash...

The Shell.Explorer.2 ActiveX exposes a FullName property that returns the full path to the IE executable on disk. The same control's ShowBrowserBar method lets a page script open IE's built-in...

I noticed that when a WebBrowser Control is embedded in a page, it exposes browser-level events — including NewWindow3 — to the host page's scripts. This means a page can intercept the URLs of any...

This address bar spoof for IE6 uses the htmlFile ActiveX to call window.open via execScript, which unlocks a navigation path that isn't available when called directly from a page script. The sequence...

I noticed that when IE7 opened a res:// protocol URL like res://ieframe.dll/dnserrordiagoff.htm#http://www.google.com, it would rewrite the address bar to show only the fragment —...

A simpler residency technique that doesn't need a createPopup at all — just the htmlFile ActiveX and window.opener. Creating an htmlFile ActiveX, writing a setInterval script into it, and storing it...

This one surprised me — the IFRAME doesn't actually participate in the logic, but the script only stays resident if one is present on the page. Without it, the createPopup gets cleaned up normally....