BeEF
An XSS vulnerability is difficult to exploit successfully in most circumstances. When I'm talking about practical client-side attacks, I don't mean taking a screenshot of the alert(1)
popup window for the report!
During an engagement, the XSS vulnerability may be a viable way to attack users and gain a foothold on the network. Conducting XSS attacks can be difficult, as, in most cases, you only have one shot at it. We need to execute code and do everything we have to do before the user closes the browser session. Extracting the session token or other sensitive data is easy enough, but what if we want to take our attack to the next level? Ideally, we want to take full control of the browser and have it do our bidding, perhaps automating some more advanced attacks.
BeEF is a great tool that was created by Wade Alcorn to allow for the easy exploitation of XSS vulnerabilities.
BeEF has a server component that provides command and control. Clients, or zombies, are hooked using a JavaScript...