Saving a reference to a createRangeCollection() result before a redirect, then accessing the collection member's htmlText property after the redirect completes, gives access to the DOM of the...

The HTML5 sandbox attribute correctly blocks most attempts to change the URL of a sandboxed window from outside. One exception: external.NavigateAndFind, an older IE API, could change the URL of a...

Saving a reference to the getSelection() object of an iFrame before it redirects, along with any member of that object, keeps the selection live. After the redirect, accessing anchorNode on the saved...

After saving a createRange() reference from a new window and waiting for it to redirect, calling duplicate() on the cached range creates a new object bound to the redirected domain's context. Any...

HTML5 specifies that <input type="file"> should return C:\fakepath\filename instead of the real path, protecting user privacy. I found that calling createRangeCollection() on the selection after...

Accessing a cached element collection by numeric index after a redirect crashes the browser with EXPLOITABLE classification — EIP can be controlled by varying the number of elements added before the...

If you know the name of a form element on the target page, you can access that element's ownerDocument after a redirect by caching the forms collection before the redirect and then looking up the...

Throwing an alert during the ondragenter event prevents the user from closing the dialog, effectively freezing the browser. As a side effect, the dragged text remains rendered on top of all other...

Dragging selected text from one input box to another crashes the browser when document.open() is called in the ondragstart handler. The crash reproduced on IE10 Win8 with UNKNOWN exploitability.

Creating an <object type="text/html"> element and storing a self-referencing pointer from the object's window back to the element itself keeps the object alive even after the parent navigates away....

A simple UXSS using an iFrame that redirects to another domain: before the redirect completes, the parent injects an execScript into the iFrame that sets the iFrame's own location to a javascript:...

A cleaner version of the onreadystatechange spoof — this one works without needing a script error notification. Opening a new window that redirects to Bing, writing the document during...

The history.replaceState address bar spoof had been patched for IE10, but it still worked on IE11. What made this variation more interesting is that it turned a simple spoof into a UXSS: after...

Two nested htmlFile ActiveX objects created through a destroyed iFrame are enough to bypass the popup blocker without any user interaction. The key is that the second htmlFile's parentWindow.open...

A simpler variant of the earlier MHTML-based prompt bypass: placing an empty about:blank iFrame on the page and calling prompt through its window object produces the generic "Explorer User Prompt"...

By saving a reference to a DOMParser instance created in a new window before it redirects, and then calling parseFromString on that cached instance after the redirect, the resulting document ends up...

By saving a reference to document.links before a server redirect, then accessing a cached link element by property after the redirect completes, the browser crashes with EXPLOITABLE classification....

This is a refreshed version of the earlier childNodes thread bug, updated to work on IE10 and even the early IE11 builds at the time. The structure is the same — cache the childNodes collection,...

A brief crash in IE11 triggered by calling window.URL.createObjectURL on an empty blob. The exploitability was classified UNKNOWN at the time.

Opening a new window that server-redirects to Bing, and immediately calling location.reload() on it, causes the address bar of the new window to remain stuck on the original URL while Bing's content...

By saving a reference to the window.open method of an iFrame before destroying it through navigation, the cached reference stays valid and can be used to load pages into the destroyed iFrame's scope...

I called this the "SandboxHeadersParadox" because the UXSS actually required the target URL to be sandboxed via X-Content-Security-Policy headers — meaning the very security headers intended to...

With the help of VBScript's execScript, it is possible to probe for the existence of named variables in a cross-origin iFrame. If the variable exists, the error fires only inside the iFrame's...

This spoof works against users with the default IE setting that shows a notification for every script error. By opening a new window that server-redirects to Bing, and hooking onreadystatechange to...

On IE10 for Windows Phone 8, setting document.designMode = "On" on a page has a surprising side effect: scripts stop executing in that tab permanently, even after navigating to completely different...

When an MHTML file is loaded inside an iFrame, IE renders it using an embedded WebBrowser Control object. I found that setCapture on the parent document, combined with a click inside that control,...

This is a variation on the setCapture capture family that specifically uses MHTML to make the technique work in contexts where it otherwise would not. From inside any iFrame — even one on a...

Shortly after Windows 8 launched I examined several Windows Store apps that used the WinJS framework — specifically looking at document.execCommand, execUnsafeLocalFunction, setInnerHTMLUnsafe, and...

I spent some time looking at MSN Explorer during this period and collected a set of findings in an internal document. MSN Explorer used its own rendering layer with settings that differed from the...

IE10 added a security improvement to window.prompt that always shows the calling domain in the dialog's caption bar — replacing the generic "Explorer User Prompt" text that made phishing easy. I...

During the Windows 8 launch period I spent some time looking at the Modern UI Mail app. The findings were documented internally and sent to the team; the details were captured in an archive. This was...

This is a clean, straightforward UXSS. Before a server redirect completes, the parent window can inject a javascript: protocol anchor into the new window's document and click it programmatically. The...

While exploring variations of the embed-based persistence technique, I found a completely different approach using the htmlFile ActiveX object. Creating an htmlFile instance in a new window and...

This one surprised me. By creating a hidden <embed type="text/html"> element in a new window, saving a reference to its internal window object, and then navigating the outer window away, the embed's...

Opening about:Tabs and immediately redirecting it to another URL leaves the display showing the about:Tabs content while the address bar updates correctly. The user sees their real recently closed...

After playing around with RSS feeds framed inside iFrames, I found that loading a feeds XML in an iFrame and then refreshing it via execCommand gave the parent page access to the internally generated...

Loading an .xbap file (XAML Browser Application) from IE causes the browser to hand it off to whatever application handles the .htm extension — which in practice means the user's default browser....

This bug had been sitting around for a long time without a report because on its own it seemed minor. When a modeless dialog is opened from inside an iFrame with a DOM object passed as the second...

In Windows 8 IE10 Metro mode, if the user had a solid color desktop background instead of a wallpaper image, the domain shown in modal and modeless dialog title bars became invisible. The dialog...

After the previous document.all variation, I tried the same threading trick with document.childNodes. A prior bug using this collection had been patched for Win8 RTM, but the Web Worker thread...

This was a variation of a previously patched bug. The original technique of caching document.all across a server redirect had been fixed, but running the access from a Web Worker thread made it work...

This bug only reproduced on the Win7 IE10 build at the time (20120723-2300), not on Win8 RP. The history.replaceState API had trouble keeping the address bar in sync: after replacing the current URL...

I was lucky to find this one — it is surprisingly simple. A fully sandboxed iFrame (with no flags at all, not even allow-scripts) could still break out by triggering a default search query. The...

This one surprised me. A sandboxed iFrame with allow-popups allow-scripts can open a new window which inherits the sandbox. But the new window can call document.write to inject a history.back()...

After playing around with the new IE10 sandbox flags for a while, I found that a sandboxed iFrame with only allow-popups could still set cookies on the parent domain using a <meta...

I found that documents created via document.implementation.createDocument() were supposed to be prevented from loading external content, but several tag types bypassed this restriction. <video>,...

I found that when a sandboxed window or tab crashed, IE automatically reloaded it — but the reload did not re-apply the sandbox flags. This meant that any denial-of-service vulnerability could be...

Since August 2011, internet-zoned pages are not allowed to use the file:// protocol. I found that prepending mhtml: to a file:// URL and loading it twice bypassed that restriction, loading local...

I found that when a sandboxed window received an HTTP 302 redirect to an invalid URL scheme (like badurl:), IE loaded its default error page outside the sandbox constraints. After going Back from the...

I found that opening a new window and setting an onbeforeunload handler that pushed a history state and enabled designMode — just before navigating the window to a cross-origin URL — left the window...