safe, wow!) ! Reading JSON Array as VBScript on trap page created by attacker ! VBScript raises exception with error message including JSON content ! JavaScript can access to JSON content via error message
me and @masa141421356 ! May 2013: Fixed with MS13-‐‑‒037 only for IE6-‐‑‒8. IE9-‐‑‒10 was not. ! "Add X-‐‑‒C-‐‑‒T-‐‑‒O header for IE9-‐‑‒11 to prevent from this attack, this is BEHAVIOR BY DESIGIN" they said.
for binding text file into HTML as data table http://msdn.microsoft.com/en-‐us/library/ms531356.aspx ! Enabled by default on IE6-‐‑‒IE11, with older doc-‐‑‒mode <meta http-‐equiv="x-‐ua-‐compatible" content="IE=10"> ! Spotlighted by Cure53 X-‐‑‒Mas Challenge https://cure53.de/xmas2013/ https://cure53.de/xmas2013/writeup The winner is @kinugawamasato
by attacker into top of the content //target page included secret data on example.jp/target.txt Content-‐Type: application/octet-‐stream Content-‐Disposition: attachment; filename=bindata X-‐Content-‐Type-‐Options: nosniff @!allow_domains=attacker.utf-‐8.jp secret,data,is,here