About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Stored XSS using .xbl files- 571

Positive Technologies (PT) Swarm Posted 4 Years Ago
  • .xbl or XML Binding Language is an XML-based markup language for altering the behavior of XUL widgets. Different file types get rendered on the web page while others do not.
  • When a client is using a denylist of file types (js, HTML, etc.), then using obscure file types, such as .xbl, are awesome for getting XSS. Interesting find that I will have to try out!
  • It should be noted that the Content-Type header makes a big difference on how items get rendered. So, trying this on Google Drive will likely not work. But, if only a denylist is used without setting this header properly, you may find XSS!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed