Taking control of the user's browser with BeEF-XSS

An attack known as Man-in-the-Browser (MITB) uses JavaScript to hook the user's browser to a Command and Control (C2) server that uses a script to issue orders to the browser and gathers information from it. XSS can be used as the vehicle to make a user load such a script while accessing a vulnerable application. Among the actions that an attacker could perform are the following:

  • Reading keystrokes
  • Extracting passwords saved in the browsers
  • Reading cookies and HTML5 storage
  • Enabling microphone and webcam (may require user interaction)
  • Exploiting browser vulnerabilities
  • Using the browser as pivot to the internal network of an organization
  • Controlling the behavior of browser's tabs and windows ...

Get Web Penetration Testing with Kali Linux - Third Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.