| Jun 2024 | Building a High-Resolution Timer from WebAssembly.Memory |
| Nov 2016 | Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox and Open Popups (Edge) |
| Nov 2016 | Bypassing Mixed Content Warnings - Loading Insecure Content in Secure Pages (Edge/IE) |
| May 2014 | Persistent Browser Zoom-Out via ExecWB OLECMDID_OPTICAL_ZOOM |
| Apr 2014 | mhtml: Protocol Loads Local Zip Files Without Warnings |
| Feb 2014 | Content Injection on Sites with Named iFrames via Flash GetURL |
| Dec 2013 | typeof Checks Cross-Origin Variable Existence via 'unknown' Return Value |
| Dec 2013 | DocMode 8: Checking Cross-Origin Variable Existence via ACCESS_DENIED |
| Dec 2013 | Clickjacking via createPopup and setCapture |
| Sep 2013 | Dialog Spoof Across Tabs via Back Navigation |
| Sep 2013 | Browser Window Close via onbeforeunload Location Race |
| Aug 2013 | BlueHat Challenges for BlackHat |
| Aug 2013 | F12 DevTools Memory Panel Elevation of Privilege |
| Aug 2013 | F12 DevTools selectorText.split Elevation of Privilege |
| Jul 2013 | F12 DevTools querySelectorAll Elevation of Privilege |
| Jun 2013 | MSRC Variations Collection |
| May 2013 | Windows 8 Managed Apps Penetration Test |
| Apr 2013 | Windows 8 App Security Review: 4 Additional Vulnerable Apps (April) |
| Apr 2013 | Windows 8 App Security Review: 20 Vulnerable Apps (April) |
| Apr 2013 | OpenSearch Preview Pane: Local File Read, Full-Screen Popup, and Clipboard Access |
| Mar 2013 | Information Disclosure: Detecting Visited URLs via CSS Expression Error Count |
| Mar 2013 | Information Disclosure: Real File Path via createRangeCollection |
| Mar 2013 | Browser Freeze: Dragged Text Floats Over Everything |
| Mar 2013 | Prompt Domain Bypass via about:blank iFrame |
| Jan 2013 | VBScript Cross-Origin Variable Existence Detection and Error Injection |
| Dec 2012 | IE10 on Windows Phone 8: designMode Disables Scripts Globally |
| Dec 2012 | MHTML iFrame Keystroke Capture via setCapture |
| Nov 2012 | Windows 8 App Security Issues |
| Oct 2012 | MSN Explorer Security Issues |
| Oct 2012 | IE10 Prompt Domain Information Bypass via MHTML |
| Oct 2012 | Modern UI Mail Security Issues |
| Sep 2012 | Persistent Keylogger via Embed HTML and createPopup |
| Aug 2012 | IE10 Screen Not Updated After about:Tabs Navigation |
| Aug 2012 | IE10 Access to Feeds Generated Page |
| Aug 2012 | Persistent Modeless Window Surviving Navigation |
| Jun 2012 | IE10: createDocument Documents Load External Content via video, audio, bgsound, and HTC Behavior |
| Jun 2012 | IE10: mhtml: Protocol Bypasses file:// Restriction and Loads Local Mark-of-the-Web Files |
| May 2012 | IE10: X-Frame-Options Header Bypassed via mhtml: Protocol in Sandboxed iframe |
| Apr 2012 | IE10: msSetPointerCapture Allows iframe to Intercept Clicks Outside Its Bounds |
| Mar 2012 | IE10: Rendering Almost Any File as HTML via pushState + Server Redirect + Reload |
| Feb 2012 | IE10: Blob Image URLs Cross Sandbox Boundaries via postMessage |
| Feb 2012 | IE10: Rendering HTML Blob Content via Server Redirect Bypasses Blob URL Restriction |
| Nov 2011 | IE10 Sandbox HTTP Headers Bypass via Cached Document Object |
| Nov 2011 | iframe security=restricted Bypass via New Window opener.setTimeout |
| Sep 2011 | IE10 Sandbox: Unique Origin Allows parent.location JavaScript Navigation |
| Sep 2011 | Persistent Keylogger via iFrame createPopup Survives Navigation |
| Aug 2011 | Information Disclosure: Local Machine Name Shown in Blocked createPopup Infobar |
| Aug 2011 | Silverlight 5 Security Findings: DoS, EoP, UXSS, and Persistence |
| Jul 2011 | IE10 Sandbox Multiple Flags Bypass via createHTMLDocument |
| Jul 2011 | TP58 Drag and Drop Cross-Origin Bypass |
| Jul 2011 | IE10 Sandbox Multiple Flags Bypass via HTML Object Tag |
| Jul 2011 | IE10 Sandbox allow-same-origin Bypass via XML Island |
| Jul 2011 | IE10 Sandbox ms-allow-popups Bypass |
| Jul 2011 | IE10 Workers Load Redirected URL (Cross-Origin) |
| Jun 2011 | IE9: Bypassing iFrame security=restricted via XML Stylesheet |
| Jun 2011 | X-Frame-Options Header Bypass via XML Stylesheet |
| Jun 2011 | Drag-Jacking: Capturing Cross-Domain Data via a Drag-and-Drop Game |
| May 2011 | IE9/IE10: History Sniffing via Copy-Paste Color Change |
| May 2011 | IE9: Persistent createPopup Acts as a Keylogger Across Navigation |
| Apr 2011 | IE8: User Style Sheet Bug Crashes on SELECT Element Expansion |
| Mar 2011 | IE9: createPopup Inside a XAML Frame Covers the Entire Screen |
| Feb 2011 | IE9: NavigateAndFind Opens Local Folders and Files Outside Protected Mode |
| Jan 2011 | IE9: iFrame URL Inconsistency on Refresh After DOM Insertion |
| Dec 2010 | IE9: Opening Alerts and Modeless Windows Attributed to a Different Tab |
| Nov 2010 | IE9 Information Disclosure (Deadcall): Reading IFrame Location via toString |
| Nov 2010 | IE9: Prompt and VBScript InputBox Not Blocked Without User Interaction |
| Oct 2010 | IE9 Information Disclosure: Detecting When the XSS Filter Has Activated |
| Sep 2010 | IE9 InfoBar Overlay via createPopup |
| Jul 2010 | IE9 Zombie Audio Tag Survives Page Navigation |
| May 2010 | IE9 XSS Filter Bypass via SCRIPT DEFER Attribute |
| Mar 2010 | WebOC UXSS When FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE Is Not Set |
| Jan 2010 | Four Chrome Bugs Found While Pentesting Silverlight |
| Dec 2009 | IE Information Disclosure: Reading the Full Path from a File Input |
| Nov 2009 | Clickjacking Demo for Spencer Low |
| Oct 2009 | Silverlight 4 Pentest I |
| Aug 2009 | WPF 4 Beta 2 Pentest |
| Jul 2009 | IE Undocumented Events — showmessage, propertysheet, MenuExtUnknown |
| Jul 2009 | IE8 Scripting Optical Zoom via ExecWB |
| Jun 2009 | WPF/XBAP Pentest Findings |
| Jun 2009 | XBAP Clipboard Hijacker |
| Jun 2009 | XAML Hyperlink Cross-Origin Sub-Frame Navigation |
| Apr 2009 | Flash getURL Cross-Origin Sub-Frame Navigation |
| Apr 2009 | IE8 XSS Filter Bypass via Injected Referrer Link |
| Mar 2009 | IE8 defineProperty Intercepts Internal Dialogs for Address Bar Spoofing |
| Feb 2009 | IE8 X-Frame-Options Header Bypass |
| Dec 2008 | Heap Spray Variations — ADO Object and Tabular Data Control |
| Nov 2008 | IE8 WinOOB 1053535 Variation |
| Nov 2008 | Overriding document Methods to Fool IE Internal Dialogs |
| Nov 2008 | IE8 WinOOB 982379 — setCapture to Read WBControl Path |
| Nov 2008 | IE8 WinOOB 1032522 — Flash GetURL with url: Protocol |
| Oct 2008 | IE8 XSS Filter Bypass via META Redirect |
| Oct 2008 | Sandbox LiveLabs: Script Execution, Freezers, and Style Parser Escapes |
| Sep 2008 | MSRC 7930 Variation: Bypassing the October MSXML Patch via Redirect in DTD |
| Aug 2008 | IE8 XSS Filter Bypass via Nested IFRAMEs |
| Aug 2008 | IE8 url:file:// Patch Bypass with Extra Characters |
| Jul 2008 | Silverlight 2 Beta Security Research |
| Jul 2008 | 6on6: A Personal Browser Security Issue Tracker |
| Jun 2008 | postMessage Security Research Notes |
| Jun 2008 | XMLHttpRequest Security Quirks: about:blank, Multiple Redirects, and responseXML Lifetime |
| Jun 2008 | XSS in a Banking Application |
| Jun 2008 | XAML Frame + url:file:// Combo for Local Zone Code Execution |
| Feb 2008 | Popup Blocker Bypass via Silverlight's Delayed HtmlPage.Window.Eval |
| Dec 2007 | Flash Loading a Remote SWF Without User Interaction |
| Nov 2007 | ExecWB IDM_PRINTPREVIEW Opens a Door to Many Tricks |
| Nov 2007 | XAML Frame + Hacked PDF = Pseudo Local Machine Zone |
| Oct 2007 | IE7: Infinite Window Spawning via Cached SWF Document and res:// Hash |
| Oct 2007 | XAML Frame: Loading Local Images via file:// Protocol |
| Oct 2007 | XAML Frame Bypasses IE7 window.prompt Gold Bar Restriction |
| Sep 2007 | MSRC 7571 Variation: Another Method to Run Remote Files |
| Apr 2007 | XAML createPopup Full Screen |
| Apr 2007 | XAML Frame Clipboard Read |
| Apr 2007 | Navigating PIDL Using WebBrowser Control as IFRAME |
| Mar 2007 | IE6 Clipboard Copy Paste No Prompts |
| Mar 2007 | IFrame As WebBrowser - Close, Crash, Search |
| Mar 2007 | createPopup Show on Unload |
| Mar 2007 | Bypass GoldBar Downloading Files Flash getURL |
| Mar 2007 | PseudoDoS - screen.updateInterval |
| Feb 2007 | Overwrite Clipboard With Hosted Control |
| Feb 2007 | Phishing Files - Needs User Interaction |
| Feb 2007 | IE6 RefEdit Cut Phish GetFiles |
| Feb 2007 | Case 6445 Variation |
| Jan 2007 | Multiple Crashes |
| Jan 2007 | StickyPop - CoverPop - Crash IE6 |
| Jan 2007 | Crash Using _unspecifiedFrame |
| Jan 2007 | createPopup Check Parent Crash |
| Jan 2007 | Nested XSL Crash |
| Jan 2007 | Nested IFRAMEs Crash |
| Jan 2007 | Nested Objects Crash |
| Jan 2007 | INPUT TYPE File Click Crash |
| Dec 2006 | WebBrowserControl Navigate Crash |
| Dec 2006 | htmlFile Crash |
| Dec 2006 | WebBrowser Control - Get IE Path and ShowBands |
| Dec 2006 | WebBrowser Control Events |
| Feb 2006 | Closing the Browser Without a Confirmation Prompt |