Jeremiah Grossman sent me an interesting link yesterday to BindShell’s tool they released called BeEF. This is an interesting take on a problem I’ve had for ages - how do you test the effectiveness of exploits against multiple browsers? Typically I have to test all browsers against the cross-site scripting vectors one at a time. It’s tedious and error prone.
Writing a fuzzer has helped the process somewhat, but it’s still a very manual process, that I’ve been unable to escape from. Then you have browser revisions, plugins, and settings it’s nearly a runaway effect of testing that is difficult at best to get in front of (and I’m doing it alone). What BeEF offers is a framework for using multiple browsers at the same time. I am actually very cautious about running more than one browser at once, because it confuses the results, but this allows you to run multiple browsers on multiple machines at the same time all executing the same function.
Great idea, but there are a few major issues with it from my perspective. Things like HTTP injection are not covered in this, and sometimes the diagnostics are pretty in depth, and not something that you can just issue a blind command against. Many of the vectors require some sort of human interaction to fire (I don’t post these for the most part, because that’s not the point of the XSS Cheat Sheet, but I do test them thoroughly to make sure there isn’t any way to do automatic execution). Also, a number of the XSS vectors I have on the page really mess up the browser. They overwrite the page, they redirect the user away from the origin host into a sort of browser no-man’s land (I’m probably going to write something about this later, actually) or worse yet, they send the browser into an infinite loop.
So, you can probably see why I’ve opted towards a more manual approach given these limitations. BeEF, however, should not be discounted, as I think it does solve one issue rather well. For a known vector with known results, version control is a major pain. When the browsers uprev, not only do I need to install the new version but I need to test it against every single vector for regression purposes as well as to see if it has closed anything since the previous version. Given the fact that I generally wait for two or more of the browsers to uprev so I can do them all at once, I end up being pretty slow at this task (the number of browsers tested times the number of tests). BeEF does provide that framework to make that otherwise insanely monotonus task rather simple in comparison.
Update: Apparently this wasn’t ready for prime time, I was actually getting a sneak peek. My appologies entirely. If any of you reading this want me to look at something and don’t intend to publish it yet, please let me know so I don’t go blowing anything. Again, sorry!