Microsoft Edge - SOP Bypass courtesy of the reading mode view


SOP bypass courtesy of the read: pseudo-protocol


The vulnerabilities needed for this POC work in all Edge versions, but the PoC itself was built for Edge 15 (after Creators Update). To execute it on older ones it must be changed making sure that the reading-mode is capable to render it. If you don't have an updated Edge handy, watch the Video PoC in YouTube

Video Microsoft Edge SOP Bypass

Tested on Microsoft Edge 40.15063.0.0, Microsoft EdgeHTML 15.15063 (this is after Creators Update)




Note: the PoC is works as described in the blog-post but I placed the code in an external JS instead of encoding everything in the data uri. It makes things clearer.

Details about this vulnerability can be found here: SOP bypass Microsoft Edge read pseudo-protocol (reading mode)
Questions? @magicmac2000