Analyzes the dangers of Cross-Site Scripting XSS vulnerabilities

Security experts, developers, and business practitioners all understand the dangers of high-risk vulnerabilities such as SQL injection. For example, xp_mongoshell, which needs to be injected into an application with the SQL injection vulnerability, can be used to demonstrate how attackers can use the SQL injection method, obtain command prompt from the host running Microsoft SQL Server. The impact of such examples is visible, and the harm of these vulnerabilities is also obvious.

Cross-site scripting (XSS) is much more troublesome, and it is difficult for security analysts to give visible examples to clearly illustrate the possible consequences of this vulnerability. Generally, security analysts inject JAVAScript code like alert (xss) to describe the dangers of XSS. This code can cause the application to display a pop-up window with the words "xss. From a technical point of view, this example does prove the existence of XSS vulnerabilities, but it does not actually reflect the dangers of XSS vulnerabilities. To find a tool or method that automatically provides an XSS example, I accessed BeEF. Its website claims that BeEF is a browser mining platform. It aims to provide a simple and integrated structure to demonstrate the dangers of browsers and XSS in real time. This module structure mainly uses the existing intelligence in BeEF to make module development a very simple process. Some basic functions include Keylogging and Clipboard Theft.

BeEF is a PHP-based network application that captures requests from user browsers with XSS application vulnerabilities. Run BeEF on your machine, and then use it to find the application that is affected by XSS, and request resources on your host (with BeEF) through XSS. Once the victim's browser requests BeEF resources, BeEF will issue a warning and allow you to inject JavaScript code and perform a JavaScript port scan (for example, the victim browser will initiate a scan: port Scanning and liquor scanning performed in an Intranet environment that attackers may access may be exploited by attackers. This Flash guide demonstrates BeEF well.

At the same time, a good friend of mine is also engaged in projects similar to BeEF. If he decides to publish an available version, I will release it here.

========================================================== =====

Link: http://www.oreillynet.com/onlamp/blog/2006/12/
Demonstrating_the_consequences.html

Author: Nitesh Dhanjani

Source: Technical