Write-up to the Beef Challenge
XSS and Beef are to be tested.
- Code can be injected in the rating text field. We inject the beef hook.js, which is executed by the victim when surfing the website.
- Subsequently, commands can be issued in the Beef Console, which the victim then executes.
- A CSP can help so that the victim does not connect to the hook.js file at all. This does not remove the vulnerability.
- A WAF can help to detect such attempts (but does not remove the vulnerability).
- User input must always be escaped / sanitized (Html entities) so that it is not executed.