Address Bar Spoof via prompt and document.write

A cleaner version of the onreadystatechange spoof — this one works without needing a script error notification. Opening a new window that redirects to Bing, writing the document during onreadystatechange, and also calling prompt() at the same time causes the prompt to “retain” the Bing URL in the address bar while the custom content is visible underneath.

function main() {
    var win = window.open("redirect.aspx");
    win.setTimeout('document.onreadystatechange = function(){prompt("Press escape or enter to close this dialog","Press escape or enter to close this dialog")};document.write(\'Check out the Address Bar!<h1>It has "bing" Spoofed!</h1><script>document.title="Bing";<\/script>\');')
}

The prompt acts as the timing mechanism: it freezes the thread while the page is mid-redirect, and when the user dismisses it the address bar shows the Bing URL but the page body is the attacker’s content. No error notification is required, making this a somewhat cleaner spoof than the earlier variant. Tested on IE10 / IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE11 UXSS via replaceState Spoof and New Window] :: [UXSS via iFrame Redirect and location javascript Protocol] >