White Hat Institute

Using BeEF scripts for XSS attacks

You may also use BeEF’s hook script and inject it into a vulnerable site, so whenever somebody visits the website, it will become a zombie computer. To do so, run BeEF and copy the hook script, as shown in the screenshot.

Cross-Site Scripting

Paste the script in the vulnerable website, and change the IP address to the attacker’s IP.

Cross Site Scripting 25
Cross Site Scripting 25

Whenever any user visits this page, their device will be hooked in the BeEF framework and become a zombie computer.

Cross Site Scripting 26

As you can see in the screenshot, we have one zombie computer hooked to BeEF. With this technique, you can create a vast “botnet” (network with tons of zombie computers) and compromise more target devices.

Note: If you want to change the port number of the BeEF tool, you may do so by editing the “/etc/beef-xss/config.yaml” file.

Cross Site Scripting 27

Never put your confidence in user feedback. In other words, all user input should be sanitized at both the client and server levels using escaping, filtering, and validating to delete potentially harmful characters, text, or code (or make it harmless). For any site, there are libraries that can assist you with this.