Internet Explorer & "Spartan"/"Edge" Cross Site Scripting Filter Bypass Proof-of-Concepts
All of the following Proof-of-Concepts are potentially vulnerable to a Cross Site Scripting injection via the "xss" parameter in the URL using the Internet Explorer (and "Spartan"/"Edge") browser (except for the "Exact Reflection" example).
Demos that only work pre-MS15-065 are marked as such.
Demos that only work pre-MS14-080 are marked as such.
alert() box is included for each demo.
Double URL Decode
Go to the Double URL Decode demo
NOTE: This does not work in Internet Explorer 8, however it does work in Internet Explorer 9, 10, and 11.
Fixed by MS15-065
Vulnerable IFrame — pre-MS15-065-only
Go to the Iframe demo
Vulnerable Form — pre-MS15-065-only
Go to the Form demo
Formaction — pre-MS15-065-only — Credit: @garethheyes from this blog post
The injection lands inside a vulnerable form. The injection should execute when the injected
<button> with a
formaction="vulnerable page" attribute is clicked.
Go to the Formaction demo
Fixed by MS14-080
These should still work on Internet Explorer 8 on Windows XP and Internet Explorer 9/10/11 browsers that have not been updated with MS14-080
Vulnerable Page — pre-MS14-080-only
Go to the Page demo
Exact Reflection — pre-MS14-080-only
Go to the Exact Reflection demo
Fixed by MS15-XXX
It might be MS15-022, or maybe MS15-026, or maybe MS15-033, or maybe MS15-036
UTF-7 Charset Definition — Credit: @garethheyes from this blog post
The injection lands on a vulnerable page before the HTML 5
<meta charset="something"> or HTML 4.01
<meta http-equiv="content-type" content="text/html; charset=something"> definition, or on a page without one. The injection should execute automatically.
Go to the Charset Definition demo