This folder contains research materials from a Silverlight 2 Beta security review, including a detailed penetration testing document (Silverlight PenTest.docx) and four proof-of-concept archives covering different attack surfaces.

The four POC categories archived here were:

  • noredir.zip — cases where Silverlight’s web client would not follow redirects, creating potential for information leakage or bypass of redirect-based security controls
  • SL_xDom_HostHeader_Proxy.zip — UXSS-class issues triggered through host header manipulation combined with Silverlight’s cross-domain request handling
  • webClient_does_not_work_when_hosted_on_different_domain.zip — behavior differences in the WebClient class depending on the hosting domain, with security implications for expected vs. actual isolation
  • XSS_ExternalCallersFromCrossDomain.zip — cross-origin callers able to invoke JavaScript execution through Silverlight’s HtmlPage.Window.Eval or similar host access paths

The common thread across these findings was that Silverlight’s bridge between managed code and the browser DOM had a number of edge cases where the expected origin isolation did not hold. Many of the same onLoad/userControl patterns explored in earlier entries also appeared here in new forms.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.