Chromium Edge EoP XSS to RCE

Hacking the new Edge Browser using a couple of XSS bugs.

Microsoft Edge - LFD and EoP

(CVE-2019-1356) Stealing local files and changing flags by chaining several bugs

Microsoft Edge uXSS

(CVE-2019-1030) Injecting Javascript into an unexpected context results in weird behavior leading to universal XSS.

Office 365 Outlook XSS

I revisit Outlook after 4 years and compare bugs found.

WebExtension Security (Part 2)

We delve a bit deeper into WebExtension security featuring 5 bugs

Edge RCE

(CVE-2018-8495) Chaining small bugs together to achieve RCE

Firefox uXSS & CSS XSS

CSS XSS came back for a bit which lead to an unusual uXSS

WebExtension Security (Part 1)

Quick intro to WebExtension security featuring four FireFox bugs.


I try to make a case for adding XFO to all responses.

Cross Browser LFD

The HTML5 filepicker was found to have 5 bugs across all three major browsers.

FireFox RCE

By chaining small bugs I was able to inject arbitrary privileged code. (SEC-MODERATE)

Chrome Address Bar Spoof

(CVE-2016-5218) A confused deputy problem leads to a full URL spoof temporarily (~20s)

FireFox LFD & SOP Bypass

Using the 'Save Page' functionality comes with security risks

FireFox uXSS & LFD

(CVE-2016-5265) Using the a .URL file (Internet Shortcut) we are able to bypass the same origin policy (SEC-MODERATE)

FireFox Local File Disclosure

Arbitrary local file disclosure in all FireFox browsers (NO-FIX)

FireFox Partial URL Spoof

(CVE-2015-7211) Partial URL spoofing using the data URI scheme (SEC-LOW)

FireFox Hide URL

(CVE-2016-1958) Show about:blank (placeholder "Search or enter address" in the URL bar) using javascript URI scheme (SEC-MODERATE)

FireFox Full URL spoof

While further testing the javascript URI scheme behavior on FF, I came across another bug which results in full address bar spoof (SEC-MODERATE)

FireFox JAR URI bug

local documents can use "jar:file:///" as an oracle to which other files exist (SEC-MODERATE)

FireFox SOP Bypass

Cross-Origin restriction bypass with fetch using 302 redirection (SEC-HIGH)

FireFox Worker SOP Bypass

SOP bypass using workers - Sensitive data retrieval (DUPE)

MS Outlook Office 365 bugs

Various valid bugs found in the emailing component of Office 365, Outlook. (VIDEOS)