| Mar 2017 | Defeating the popUp blocker, the XSS filter and SuperNavigate with our fake ticket to the Intranet Zone (Edge) |
| Feb 2014 | base href file:// Bypasses IE Protected Mode Integrity Level |
| Nov 2013 | IE11 Sandbox Bypass via Accelerator URLs |
| Oct 2013 | IE11 Sandbox Too Tight: Pop-up Inherits Sandbox Restrictions |
| May 2013 | IE11 Sandbox Bypass via New Link in allow-popups iFrame |
| Mar 2013 | Sandbox Bypass via external.NavigateAndFind on a Sandboxed Window |
| Aug 2012 | IE10 Protected Mode Escape via XBAP File Handler |
| Jul 2012 | IE10 Sandbox Bypass via Default Search URL |
| Jul 2012 | IE10 Sandbox Bypass via New Window Write-Back |
| Jul 2012 | IE10 Sandbox Bypass via Meta Set-Cookie |
| Jun 2012 | IE10 Sandbox Bypass: Any DoS That Crashes a Sandboxed Tab Causes Reload Without Sandbox |
| Jun 2012 | IE10 Sandbox Bypass: Invalid Server Redirect URL Loads Error Page Outside Sandbox |
| Jun 2012 | IE10 Sandbox Bypass: Triggering a Download and Going Back Removes Sandbox Flags |
| Jun 2012 | IE10 Sandbox Bypass: Flash getURL with javascript: Target Reaches Sandboxed Window |
| May 2012 | IE10 Metro: Loading mhtml from Sandboxed iframe Breaks Out to Top Window Without Showing Address Bar |
| Nov 2011 | Protected Mode Bypass via vsjitdebugger.exe Accepting Binary Arguments |
| Sep 2011 | IE10 Sandbox Bypass via Non-HTML Navigation and history.back() |
| Sep 2011 | IE10 Sandbox Bypass via New Window opener.parent location with JavaScript |
| Sep 2011 | IE10 Sandbox Bypass: Navigating the Parent URL via History Methods |
| Jul 2011 | IE10 Sandbox Bypass via Flash GetURL with JavaScript Protocol |
| Jul 2011 | IE10 Sandbox Bypass via Windows Media Player launchURL |
| Jul 2011 | IE10 Sandbox Bypass via navigate.call(parent) with JavaScript Protocol |
| Jul 2011 | IE10 Sandbox Bypass via SVG JavaScript xLink |
| Jun 2011 | IE10 Sandbox Bypass Using a Window as a Bridge |