About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Microsoft Edge RCE: Poor Input Validation in URI schemes- 114

leucositePosted 6 Years Ago
  • Browsers can use custom URI schemes in order to call different apps. A good example is the common mailto: which will open a mail client.
  • The URI scheme for the WScript.exe passes user tainted input that is not escaped properly.
  • Using this, in combination with a directory traversal makes it possible to call any file on the OS :)
  • One thing that is really awesome is that the author explains and tags in other articles that helped them on their way. The article was looking for WSH injection into a VBS script. Eventually, a single script appeared to be vulnerable to this!
  • This vuln was a simple page being loaded within Microsoft Edge. Then, a custom URI allowed for RCE!
  • From a defensive standpoint: input validation is killer for attack vectors. Edge did not sanitize for single quotes, which made this attack possible. By making the input as tight to the needed characters as possible, this attack would have failed early on in the process.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed