TUCoPS :: Browsers :: bt1051.txt

MSIE BodyRefreshLoadsJPU:refresh is a new navigation method

BodyRefreshLoadsJPU:refresh is a new navigation method


Browser Ver


MS Internet Explorer: 6.0.2600.0000.xpclnt_qfe.021108-2107;

Encryption: 128-bit;

Patch:; Q810847; 


(So, it's far from fully patched. It also works after

applying the patch for method caching attack.) 

OS Ver: "Windows XP Cn ver"





---> BodyRefreshLoadsJPU section

---> BodyRefreshLoadsJPU-MyPage file


[VictimWindow] is in another security zone, execute:


then [VictimWindow] will be navigated to a RES-protocol


at last, press "REFRESH" button:

"Refresh" tries to reload "javascript:[JpuScript]", and

the script is executed.

question:how to press "REFRESH" button with JSCRIPT?

answer in this attack:

SaveRef(or "object-caching attack") "document.body", 




special thanks to:

"Andreas Sandblad" for "Using the backbutton in IE is


(then i tried to search for other navigation methods) 

"GreyMagic" for "GreyMagic Security Advisory GM#012-IE"

(it showed "[DocElement].document" is something

interesting :-) ) 

and myself :-)

read those documents. and look for buttons in MSIE.


the Pull, dror, guninski, sandblad, greymagic and

"Friedrich L.Bauer".

of course, mom and dad.

best wishes


from http://Umbrella.MX.TC on http://SafeCenter.NET

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH