The answer to this funny question is simple – you can get pwned. And when I say “pwned”, I mean it.
Gone are those days when you had a tough time explaining what exactly a XSS vulnerability can do to an application. Now with the inception of this powerful tool called BeEF(Browser Exploitation Framework), it has become a lot easier to demonstrate the attack and thus convey to the customer the criticality of a XSS vulnerability and the damage it can do.
BeEF is essentially a powerful framework developed originally by Wade Alcorn and is integrated with wide range of client-side attack vectors and payloads targeting the inherent browser vulnerabilities. It is an open-source project which has been gaining a lot of popularity since its release and finds its place in any pen-testers’ toolkit. The development process has been steady and there are new modules being added to the framework by independent programmers which make BeEF real spicy. The current modules include the first public inter-protocol exploit, keystroke logger, clipboard theft, browser proxying, man-in-the-browser and many more.
Now we know how bad those little boxes can be!
To read further on this, please check out the following references:
• 2011 : Ground BeEF: Cutting, devouring and digesting the legs off a browser, Michele “antisnatchor” Orru( Slides )
• 2012 : I’m the butcher do you want some BeEF, Michele “antisnatchor” Orru ( Slides )
• 2012 : Shake Hooves With BeEF, Christian “xntrik” Frichot ( Slides )
• 2012 : Hookin’ Ain’t Easy, BeEF Injection with MITM, Ryan Linn & Steve Ocepek ( Slides )
• 2012 : Advances in BeEF, Michele “antisnatchor” Orru ( Slides )
• 2012 : Exploiting internal network vulns via the browser using BeEF Bind, Michele “antisnatchor” Orru & Ty Miller ( Slides )
• 2012 : All you ever wanted to know about BeEF, Michele “antisnatchor” Orru ( Slides )