Detect and correct XSS flaws with Beef


Most developers when showing them an XSS flaw with a JavaScript pop-up like "hack" or "hello" it does not impress them ... and they answer that JavaScript is secure, and that it runs sideways customer.
So as I don't have time to code with JavaScript to show you that the XSS flaw is dangerous, I will demonstrate it with the Beef tool, a Web 2.0 operating framework coded in PHP & JavaScript.

Beef is a powerful professional security tool, unlike other security tools, beef focuses on exploiting vulnerabilities on the browser (client) side to assess the security level of a target. Thanks to Beef, and its xss attack vector, it is possible to transform a victim into a zombie.

What can we do with beef?

  • Information retrieval
  • Theft of cookies (obviously)
  • Keylogger
  • List of sites / domains visited
  • Browser fingerprint (OS, plugins, etc.)
  • Webcam!

Architecture Beef

architecture_beefWhen a user runs BeEF, two components are opened: the user interface and the communication server (CRC). These two elements are the basic building blocks of Beef.

User interface
This is the interface for controlling the use of beef. From there, a user can see the victims who are online and offline, perform exploits against them, and see the results.

Communications Server
The Communication Server (CS) is the component that communicates via HTTP with infected browsers.


Beef is available on Linux with the Kali Linux distribution. If you have a Windows computer then I advise you before going further to install a Linux distribution (like kali Linux) on a virtual machine. Just download VMware and an image of Kali Linux. Beef is already pre-installed on it. here is how to install Kali Linux on a Windows machine with VMware.

However you can install beef on Windows, for that see:
To install it on another Linux or OSX distribution - see:

How to use Beef?

To start, launch the beef server in Backtrack. To do this, go to the menu:
Application -> backtrack-> Application -> Exploitation tools -> Social Engineering Tools -> Beef XSS Framwork-> Beef


The server will start in a few seconds then you will have a window with information on the links used for the web interface as well as the script that you must inject into vulnerable pages.


In the example above, you can see, there are multiple network interfaces. You can now access the administration interface (web interface) using these URLs.
In my case, the administration interface is: and the script to inject is:
After launching the administration page, you will have an authentication page. Log in to the Beef server using the default credentials (beef / beef).


Once connected, you will have a page divided into 4 parts:


  • Zombie part: this is where your connected victims are
  • Command part: in this part contains a number of commands that can be executed on the target with a colored indicator about their, relative safety. this is the most powerful part of Beef framework.
  • Result party: the results of the executed commands will be listed here.
  • Party description: here you will have the description of each order.

It now remains to inject the hook.js into a vulnerable forum or simply a web application that contains a XSS flaw.
However you can test beef locally using the beef demo page:


After the browser infection, you should see a target added to the left of the administration panel.
Finally, select this browser to display information on the target, so you can launch commands to have the last sites visited or to place a keylogger or to start the target's camera.

How to protect yourself?

  • Updating browsers and plugins is the first rule!
  • Install a firewall on your machine
  • Install Anti XSS on your browser such as "Noscript". It only allows the execution of JavaScript scripts on the trusted domains of your choice. It prevents the exploitation of XSS or CSRF vulnerabilities without loss of functionality.


Beef is an easy to use and very practical tool. Thanks to beef, advanced XSS attacks become easy to perform.
I hope I was able to convince you that the impact of an XSS vulnerability is terrible and that with a tool like beef, you can turn a simple XSS vulnerability into a very dangerous vulnerability.
And before I forget… Consider sharing this article by clicking on the social network buttons. It will give me great pleasure! 🙂