A friend of mine, Louis @snyff Nyffenegger, recently found an XSS in Rack default 404 page. By default, Rack is reflecting the value of the not found URI in the page, without applying proper output escaping. This leads to reflected XSS.
A simple patch suggested by him is the following:
So how does this affect BeEF?
The bug is present when using Rack::File or similar directives to mount content in the Thin web server. We use that directive to mount the static content served via the /demos URI.
The affected code in the file.rb Rack library is: