Broken Browser – Fun with Browser Vulnerabilities_News & Media

AboutBugs ListBroken BrowserFun with Browser VulnerabilitiesRevealing the content of the address bar (IE)September 26, 2017VulnerabilitiesHello fellow bug hunter! Today we are going back to Internet Explorer which despite getting old, tons people still use it. I am much happier with MSRC lately, they are really moving forward regarding Edge, design bugs, and they even extended …Read More »SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge)May 10, 2017VulnerabilitiesToday we are going to steal Twitter and Facebook credentials from the user. The previous two SOP bypasses [1] [2] that allowed attackers to steal passwords and cookies were not patched in the latest update and this new one is more direct, …Read More »SOP bypass / UXSS – Tweeting like Charles Darwin (Edge)April 24, 2017VulnerabilitiesWatch the 2 minutes exploit video where we manually tweet as if we were Charles Darwin, and get his password (thanks to the default password manager of Microsoft Edge). If you are out of time, watch the 1 minute video where …Read More »SOP bypass courtesy of the reading mode (Edge)April 17, 2017VulnerabilitiesThe Microsoft Edge team recently tweeted about the reading mode, a feature that removes the clutter from webpages to read without distractions. It was not new to me, I learned about it when I was trying to understand how pseudo-protocols worked …Read More »Detecting Installed Extensions (Edge)April 6, 2017VulnerabilitiesAttackers love being able to fingerprint their victims. We’ve seen in the past two techniques that allowed the bad guys to detect the presence of particular files (to evade analysts) and even get the application names associated to specific mimeTypes. Microsoft patched …Read More »Defeating the popUp blocker, the XSS filter and SuperNavigate with our fake ticket to the Intranet Zone (Edge)March 31, 2017VulnerabilitiesLast year we explored the domainless blank technique to create UXSS/SOP bypasses on both Microsoft Edge and Internet Explorer. The Edge version has been recently patched but unfortunately the fix introduces a new security issue which allows attackers to exploit other things. …Read More »Referrer spoofing with iframe injection (Edge)March 24, 2017VulnerabilitiesLast year we’ve been playing with a very simple method to spoof the referrer on Edge, which allowed us of course to spoof the referrer and -as a bonus- other neat things like bypass the XSS filter. Today I found …Read More »SOP bypass / UXSS – More Adventures in a Domainless World (IE)March 20, 2017VulnerabilitiesA few months ago we’ve been playing with domainless about:blank pages on Edge. Essentially, a powerful about:blank document was capable of accessing every domain without restrictions. It was recently patched as CVE-2017-0002 so it does not work anymore. The same thing happens with …Read More »Bypassing the patch to keep spoofing the Smartscreen/Malware warning (Edge)March 15, 2017VulnerabilitiesYesterday, Microsoft pushed a gigantic update where tons of security bugs were fortunately killed, including most ones from this website. Kudos, big kudos to the Edge developers and the ones in charge of its security. Please, convince the ones who want …Read More »The Attack of the Alerts and the Zombie Script (IE)February 20, 2017VulnerabilitiesIn our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have you tried anything? If yes, congratulations. The …Read More »SOP bypass / UXSS htmlFile in IFrame (IE)February 6, 2017VulnerabilitiesToday we are going to explore a feature that has been present on Internet Explorer almost since its inception. A feature that allows web-developers to instantiate external objects, and because of that it was abused ad-nauseum by attackers. Do you …Read More »SOP bypass / UXSS – Adventures in a Domainless World (Edge)December 13, 2016VulnerabilitiesToday we are going to walk around a few design issues that, when used together, will end up in a full SOP bypass or Universal Cross Site Scripting (UXSS) on Microsoft Edge. If you are not a security researcher but you still …Read More »Spoofing the address bar and the SmartScreen/Malware Warning (Edge)December 7, 2016VulnerabilitiesUpdate: this bug was patched on 2017-03-14 but we found a bypass the same day. Here it is: Bypassing the patch to continue spoofing the address bar and the Malware Warning. Over the last few months, we’ve seen a proliferation of …Read More »Abusing of Protocols to Load Local Files, bypass the HTML5 Sandbox and Open Popups (Edge)November 25, 2016VulnerabilitiesOn October 25th, the fellows @MSEdgeDev twitted a link that called my attention because when I clicked on it (being on Chrome) the Windows Store App opened. It might not surprise you, but it surprised me! As far as I remembered, …Read More »Bypassing Mixed Content Warnings – Loading Insecure Content in Secure Pages (Edge/IE)November 15, 2016VulnerabilitiesThere are no doubts that the web is moving forward to HTTPS (secure) content. Most important names have today their certificates ready and their websites are in effect, secure. But have you ever wandered: secure to what extent? It’s clear …Read More »Detecting Local Files to Evade Analysts (IE)October 18, 2016VulnerabilitiesLast month we’ve been looking at how attackers were targeting unsavvy users by checking the associated mimeTypes to applications on the system. If the PC had analyst tools installed, something detected from withing the browser, then the malware refused to …Read More »On Patching Security BugsOctober 2, 2016ThoughtsHello fellow bug hunter! I want to share with you my thoughts on a slight change that the folks at Microsoft could embrace to make security better. This change, in my opinion, will make the security process more transparent for all, attracting bug …Read More »Workers SOP Bypass importScripts and baseHref (Edge/IE)September 27, 2016VulnerabilitiesAs we know, all browsers impose several restrictions when trying to access resources from different origins. Of course we can play music and render images coming from different domains but thanks to the Same Origin Policy, we will not be able to read …Read More »Detecting analysts before installing the malware (IE)September 19, 2016VulnerabilitiesWith the help of a beautiful piece of code, malware authors can detect installed applications straight from within the browser and serve the bad bits only to unsavvy users. In other words, attackers target regular users by detecting specific analysts applications (like Fiddler) and serving …Read More »Referer spoofing and defeating the XSS filter (Edge/IE)September 12, 2016VulnerabilitiesAccording to Wikipedia, “Referer spoofing is the sending of incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.” In other words, making …Read More »CSS History Leak or “I know where you’ve been” (Edge)September 5, 2016VulnerabilitiesHello fellow bug hunter! I’ve been thinking this morning on the classic trick originally discovered by Jeremiah Grossman back in 2006, where you could find out which sites were visited by the user. If you are not familiar with this beauty, I recommend you …Read More »Grabbing data from Inputs and Textareas (Edge/IE)August 28, 2016VulnerabilitiesBoth Microsoft Edge and Internet Explorer suffer from navigation problems, failing to keep up with the most updated history information. A framed navigation confuses these browsers and what seems to be a naive functionality problem ends up being a security bug: information disclosure across …Read More »CategoriesThoughtsVulnerabilitiesRecent PostsRevealing the content of the address bar (IE)SOP bypass / UXSS – Stealing Credentials Pretty Fast (Edge)SOP bypass / UXSS – Tweeting like Charles Darwin (Edge)SOP bypass courtesy of the reading mode (Edge)Detecting Installed Extensions (Edge)© Copyright 2022, All Rights Reserved