Saturday 23 December 2017

Samsung Internet Browser SOP Bypass/UXSS

There is a Same Origin Policy bypass / Universal Cross Site Scripting issue in Samsung Internet Browser (tested on latest version -  6.2.01.12).

First of all, using the combination of MHTML and XSLT
ends up resulting in a weird interaction. When you create an empty Iframe via MHTML and give a normal header and combine MHTML with XSLT, 
the browser renders them and confuse as its origin is from a pre-instantiated empty iframe. For the PoC and details please contact me via following email address: proof131072@gmail.com. Regards, James

1 comment: