Friday, April 17, 2015

The email that's watching you

Today's post contributed by Anthony Piron and Bart Leppens

Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.

The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.

We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue. The paper is called "The email that is watching you" (

For some of the attacks described in this paper we have created modules in BeEF. The following video demonstrates exploitation of IBM iNotes with BeEF using CVE-2014-0913 as described in our paper:

We hope that our paper and this video prove that Cross-Site Scripting is not merely an anecdotical thing, but a real-world attack vector with serious consequences.

Anthony Piron

Anthony has been an ICT professional for far too long: 15 years. He has worked non-exhaustively as a developer, dev ops, monitoring engineer, network specialist, project leader, and division manager. He has witnessed numerous foreseeable security fiascos. In his free time, he likes reading about and experimenting in the domains of computer science, hacking, security and mathematics.

Bart Leppens

Bart is an IT professional with over 10 years of experience with a strong focus on security. During his free time he spends a fair amount of time on (application) security. He likes contributing to the BeEF project and attending security conferences. Bart is not afraid of assembly code.

Monday, January 26, 2015

Hooked-Browser Meshed-Networks with WebRTC (Kiwicon 2014) - Part 2

In Part 1, we introduced you to BeEF's WebRTC extension as a solution for avoiding tracking of post-exploitation communication back to our BeEF server. In this post, we'll talk more about how this can be used during penetration testing. This will include further information about the extension and usage details for the console and RESTful API.

Tuesday, January 6, 2015

Hooked-Browser Meshed-Networks with WebRTC (Kiwicon 2014) - Part 1

Hi All, @xntrik here from sunny Australia. I hope you’ve all had a good New Year's and are ready to kick browser hacking into high gear for 2015. I had a thought that inspired me, and I wanted to share it here.

What if, to avoid tracking our post-exploitation communication back to our BeEF server, we were able to hook a bunch of browsers within an organisation, and make them talk to each other, instead of talking to our BeEF server? Perhaps we could keep one as the data channel (controlling peer)?

The answer is WebRTC. I recently had an amazing opportunity to present this at Kiwicon 2014, and I was keen to get the code into BeEF. This blog post provides a brief summary of WebRTC and how it works. Since there's quite a bit of ground to cover, this will be the first of a two part series.