IE 10 11 UXSS XFO demo from ie 11 internet options Watch Video
Preview(s):
Gallery
Play Video: (Note: The default playback of the video is HD VERSION. If your browser is buffering the video slowly, please play the REGULAR MP4 VERSION or Open The Video below for better experience. Thank you!)
Description: Contrary to popular belief, X-Frame-Options is not a proper solution to mitigate CVE-2015-0072 (Internet Explorer Universal Cross-Site Scripting vulnerability). In this short video we demonstrate how this issue can be abused to attack a website that has set the X-Frame-Options header to DENY. As can be seen in the video, the payload can still be injected in the target site despite the fact that it is not rendered in an iframe.
Play Video: (Note: The default playback of the video is HD VERSION. If your browser is buffering the video slowly, please play the REGULAR MP4 VERSION or Open The Video below for better experience. Thank you!)