Hey all,

Don't know if anyone has already looked at this (I found a passing reference by Giorgio at [hackademix.net] ), and apologies if they have and I'm duplicating it, but FF3 disallows cross-site XBL requests, so no more off-site -moz-binding commands.

However, in their infinite wisdom, the moz devs have decided that allowing inline XBL is ok. Go figure.

So you can now use style="-moz-binding:url(data:text/xml;charset=utf-8,XBL_HERE)"

I blogged a full example at [the-mice.co.uk]

While this method requires a substantially larger payload space they have closed one security hole and opened a can of worms!

[www.the-mice.co.uk] Switch/Twitch
[code.google.com] .NETIDS

@martin

Great find!

lol I hope they decide to fix it, it must be a mistake as I can't see why you'd have it inline. Keep up the good blogging!

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

It's intentional and documented, even though I tend to agree that fixing offsite but introducing this "feature" doesn't sound exactly cool, if the aim of the former was mitigating XSS.

Anyway this has been largely anticipated by NoScript XBL protection: as you can see, the default has been forbidding data: bindings for a long time.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript



Edited 2 time(s). Last edit at 02/29/2008 06:13AM by ma1.

@ma1

Yeah great feature in noscript!

However could us hackers have a option to turn it off :) It would be really handy instead of disabling noscript and then forgetting you've disabled it :)

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth
Using "Allow Scripts Globally" disables most protection features, with the notable exception of cross-site URL injection checks.
You can make this command last until the end of the current session only by switching noscript.tempGlobal to true in about:config.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

I agree that NoScript's protection against XBL binding is ace and I in no way meant to detract from this; took me ages to work out why a binding wasn't working and it was good old NoScript doing its job!

On the other hand, while the in-line feature is documented, the blocking of cross-domain XBL loading is not so easy to find out about. As I pointed out, one obliterates the security impact of the other.

[www.the-mice.co.uk] Switch/Twitch
[code.google.com] .NETIDS

@ma1

Great tip thanks!

------------------------------------------------------------------------------------------------------------

"-/style=-=expression&#40/*WAFs..Evasion..Filters'/-/*',/**/alert(/People who say it cannot be done should not interrupt those who are doing it./)//);"

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

I'm trying to get this working, myself, and am having some difficulty:

[www.frostjedi.com]

Here's the source code to that file:

<div style="-moz-binding: url(data:text/xml;charset=utf-8,<?php

echo urlencode(utf8_encode('<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl">
<binding id="loader">
<implementation>
<constructor>alert("xss");</constructor>
</implementation>
</binding>
</bindings>'));

?>)"></div>

Why doesn't that work?

(I've posted about this elsewhere on sla.ckers.org, but figure that there may exist people who check this thread and who haven't seen mine - I, for instance, don't check every single thread).

@yawnmoth:
[hackademix.net]

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript