The answer to this funny question is simple – you can get pwned. And when I say “pwned”, I mean it.
Gone are those days when you had a tough time explaining what exactly a XSS vulnerability can do to an application. Now with the inception of this powerful tool called BeEF(Browser Exploitation Framework), it has become a lot easier to demonstrate the attack and thus convey to the customer the criticality of a XSS vulnerability and the damage it can do.
BeEF is essentially a powerful framework developed originally by Wade Alcorn and is integrated with wide range of client-side attack vectors and payloads targeting the inherent browser vulnerabilities. It is an open-source project which has been gaining a lot of popularity since its release and finds its place in any pen-testers’ toolkit. The development process has been steady and there are new modules being added to the framework by independent programmers which make BeEF real spicy. The current modules include the first public inter-protocol exploit, keystroke logger, clipboard theft, browser proxying, man-in-the-browser and many more.
BeEF basically follows client-server architecture. The browser gets hooked to the BeEF control server running on the attacker’s machine with the execution of the hook JavaScript in the affected application. The control server then communicates with the hooked browser (or zombies) remotely and tunnels the payloads using the HTTP protocol while the victim is unaware of the whole process happening in the background. The potential impact is only limited by the creativity of the attacker.
To keep it simple, BeEF hooks the end-user browser leveraging from a simple XSS vulnerability. This can also happen if the attacker has embedded the hook JavaScript within his malicious page and tricks the user into visiting it. Once the browser gets hooked, an attacker could choose the right attack vector from his fully loaded BeEF arsenal to further hack his way in. I’m not joking when I say that one could penetrate into internal network through a web browser. Yes, BeEF has ping sweep/port scanner modules to fingerprint the network and also a BIND shellcode to exploit internal network vulnerabilities through the web browser again. The beauty of BeEF is that it stretches itself beyond the network level security controls and totally relies on browsers as an entry point.
Now we know how bad those little boxes can be!
To read further on this, please check out the following references:
• 2011 : Ground BeEF: Cutting, devouring and digesting the legs off a browser, Michele “antisnatchor” Orru( Slides )
• 2012 : I’m the butcher do you want some BeEF, Michele “antisnatchor” Orru ( Slides )
• 2012 : Shake Hooves With BeEF, Christian “xntrik” Frichot ( Slides )
• 2012 : Hookin’ Ain’t Easy, BeEF Injection with MITM, Ryan Linn & Steve Ocepek ( Slides )
• 2012 : Advances in BeEF, Michele “antisnatchor” Orru ( Slides )
• 2012 : Exploiting internal network vulns via the browser using BeEF Bind, Michele “antisnatchor” Orru & Ty Miller ( Slides )
• 2012 : All you ever wanted to know about BeEF, Michele “antisnatchor” Orru ( Slides )