Friday, July 5, 2013

A funny issue on BeEF keylogger spotted by Mario

Mario Heiderich, a good friend of mine, spotted a cool issue with the BeEF keylogger. He went “Armin Meiwes” on our favourite open source bovine. He found XSS in BeEF using <svg/onload=blah>. Well-done!

The BeEF team encourages security researchers to help out wherever possible. As such, we are announcing a BeEF bug bounty program. Each bug will receive a kilogram of Minotaur rump (depending upon supply ;-). Contact us if you would like to help out. We want to hear from you!

We're publishing the writeup about the bug Mario found and we're addressing how we fixed it in today's blog post.

To demonstrate, enter the data into the demo hook demo page:
XSS Screenshot
And the final result was:

Returned data
I've added the ability to do context-aware output escaping of data coming from the hooked browser to the BeEF web admin UI jQuery-encoder. It's an awesome and very easy-to-use JavaScript library.

If you search in the BeEF JavaScript code, you can spot multiple instances of $jEncoder.encoder.encodeForHTML(your_untrusted_output). In this case, the issue is that the data coming from the BeEF keylogger was first mangled by this.formatTitle, and then the output was escaped.

Have a look at the patch (lines 57 to 59):

XSS Patch source
Regarding exploitability, I would imagine the following attack:
  • An attacker prepares a website vulnerable to XSS, ready to be exploited with the BeEF hook.
  • The website also includes a piece of JavaScript that monitors the window object for a new global variable called BeEF.
  • When the BeEF variable is found, it's sufficient to use the functionality available in our logger.js (/beef/core/main/client/logger.js) to issue an XHR back to the /event handler, with properly formatted data including the XSS vector. 
This bug was fixed within 3 hours of notification. Update and cover your BeEF!



  1. I like your post about "A funny issue on BeEF keylogger spotted by Mario" very nice post. It is very help full.I do appreciate about this post & this blog ... :)
    vulnerability assessment
    penetration testing

  2. funny indeed, thanks for this post, but i usually use this keylogger.

  3. Keylogger
    The best keylogger for Windows 10 (32bit and 64bit)

  4. Thank you for this interesting post! I want to tell you about this spy app for android I didn't expect it is something unusual. But when I downloaded it, I saw it has so many interesting functions. I haven't seen keylogger better than this one.