Mario Heiderich, a good friend of mine, spotted a cool issue with the BeEF keylogger. He went “Armin Meiwes” on our favourite open source bovine. He found XSS in BeEF using <svg/onload=blah>. Well-done!
The BeEF team encourages security researchers to help out wherever possible. As such, we are announcing a BeEF bug bounty program. Each bug will receive a kilogram of Minotaur rump (depending upon supply ;-). Contact us if you would like to help out. We want to hear from you!
We're publishing the writeup about the bug Mario found and we're addressing how we fixed it in today's blog post.
To demonstrate, enter the data into the demo hook demo page:
Have a look at the patch (lines 57 to 59):
|XSS Patch source|
- An attacker prepares a website vulnerable to XSS, ready to be exploited with the BeEF hook.
- When the BeEF variable is found, it's sufficient to use the functionality available in our logger.js (/beef/core/main/client/logger.js) to issue an XHR back to the /event handler, with properly formatted data including the XSS vector.
This bug was fixed within 3 hours of notification. Update and cover your BeEF!