Exploiting XSS with BeEF
BeEF, the browser exploitation framework, is a tool that focuses on client-side attack vectors, specifically on attacking web browsers.
In this recipe, we will exploit an XSS vulnerability and use BeEF to take control of the client browser.
Getting ready
Before we start, we need to be sure that we have started the BeEF service and are capable of accessing http://127.0.0.1:3000/ui/panel
(with beef
/beef
as login credentials).
The default BeEF service in Kali Linux doesn't work so we cannot simply run
beef-xss
to get BeEF running, instead we need to run it from the directory in which it was installed, as shown here:cd /usr/share/beef-xss/ ./beef
Now, browse to
http://127.0.0.1:3000/ui/panel
and usebeef
as both the username and password. If that works, we are ready to continue.
How to do it...
BeEF needs the client browser to call the
hook.js
file, which is the one that hooks the browser to our BeEF server and we will use an application vulnerable to XSS to make the user...