The document provides a tutorial on using the Browser Exploitation Framework (BeEF), an open-source pentesting tool that allows assessing client-side attacks by exploiting browser vulnerabilities to execute JavaScript code on the target system. It discusses how to install, configure, and use BeEF to hook browsers, run commands, interface with Metasploit, and find cross-site scripting vulnerabilities. Resources for additional exploitation techniques and modules are also referenced.
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
Modul One Day Workshop Proxmox Automation With AnsibleI Putu Hariyadi
Modul One Day Workshop "Proxmox Automation With Ansible" yang diselenggarakan oleh Network Community (NETCOM) Universitas Bumigora pada hari sabtu dan minggu, 2-3 Nopember 2019.
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
Modul One Day Workshop Proxmox Automation With AnsibleI Putu Hariyadi
Modul One Day Workshop "Proxmox Automation With Ansible" yang diselenggarakan oleh Network Community (NETCOM) Universitas Bumigora pada hari sabtu dan minggu, 2-3 Nopember 2019.
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Learning log4j for Java beginners with a sample set of projects using log4j 1.2.
This was done for Level 2 computer engineering students at University of Moratuwa 2015.
I have hosted the samples in github (https://github.com/lkamal/log4j-workshop
), so that you will be able to download and try yourself.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
Spring integration을 통해_살펴본_메시징_세계Wangeun Lee
[스프링캠프 2015] Spring Integration을 통해 살펴본 메시징 세계 발표자료 입니다.
예제 소스 저장소는 프리젠테이션 안에 링크 걸어놨습니다.
감사합니다.
-------------------------------------------------------------------
우리는 늘 누군가와 소통(Communication)을 합니다. 소통을 통하여 누군가에게 일을 시키기도 하고 내가 일을 받기도 합니다. 애플리케이션도 마찬가지로 이기종간의 애플리케이션끼리 데이터로 소통을 하며 할 일을 서로 분산 처리할 상황이 발생하기도 합니다.
이런 분산 처리 이전에는 소통이 전제되어야 합니다. 애플리케이션 간 소통에 대한 고민은 선구자들에 의해 Enterprise Integration Patterns로 탄생되었으며 Spring에서도 그 패턴화의 추상화 일원으로 Spring Integration을 탄생시켰습니다.
이 강연에서는 Spring Integration을 통해 애플리케이션 간에 어떻게 쉽고 편하게(?) 소통을 할 수 있게 되었는지 살펴보며 예제와 사례를 통해 Spring Integration 입문에 도움을 주고자 합니다.
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Learning log4j for Java beginners with a sample set of projects using log4j 1.2.
This was done for Level 2 computer engineering students at University of Moratuwa 2015.
I have hosted the samples in github (https://github.com/lkamal/log4j-workshop
), so that you will be able to download and try yourself.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
Spring integration을 통해_살펴본_메시징_세계Wangeun Lee
[스프링캠프 2015] Spring Integration을 통해 살펴본 메시징 세계 발표자료 입니다.
예제 소스 저장소는 프리젠테이션 안에 링크 걸어놨습니다.
감사합니다.
-------------------------------------------------------------------
우리는 늘 누군가와 소통(Communication)을 합니다. 소통을 통하여 누군가에게 일을 시키기도 하고 내가 일을 받기도 합니다. 애플리케이션도 마찬가지로 이기종간의 애플리케이션끼리 데이터로 소통을 하며 할 일을 서로 분산 처리할 상황이 발생하기도 합니다.
이런 분산 처리 이전에는 소통이 전제되어야 합니다. 애플리케이션 간 소통에 대한 고민은 선구자들에 의해 Enterprise Integration Patterns로 탄생되었으며 Spring에서도 그 패턴화의 추상화 일원으로 Spring Integration을 탄생시켰습니다.
이 강연에서는 Spring Integration을 통해 애플리케이션 간에 어떻게 쉽고 편하게(?) 소통을 할 수 있게 되었는지 살펴보며 예제와 사례를 통해 Spring Integration 입문에 도움을 주고자 합니다.
Why it's dangerous to turn off automatic updates and here's how to do itOnni Hakala
This was my presentation for WordCamp Helsinki 2017. It's about the default automatic updater in WordPress and how that can be enhanced using CI instead.
All the Laravel things: up and running to making $$Joe Ferguson
Laravel 5 has established itself as one of the best PHP rapid application development frameworks. Come learn about all the tools in the Laravel ecosystem designed to save you time and prevent you from writing the boring cruft you have to write for every application. We'll cover getting started with local development, building a basic application, and deploying to production. We'll review how Laravel easily handles vagrant, testing, oauth login services, billing and subscriptions services through Laravel Spark, and deploying your application with services such as Laravel Envoyer and Forge to manage your servers.
Sharing the whole journey experience. Starting with the handover of the keys of the pandora box, wandering around the deep dark forest of uncertainty and instability of the rushed deployed systems. Trying to declutter and reach a stable stage where the order reigns over chaos, where the poor guy can finally sleep at night and the pager eventually goes silent for a while. At the end we'll be reaching the so-desired level of confidence to not be worried about experimenting, changing things and upgrading infrastructure.
The Joomlatools Platform is a modern Joomla distribution that helps you get started with the best development tools and project structure.
Much of the philosophy behind the platform is inspired by the Twelve-Factor App methodology.
Magento 2: New and Innovative? - php[world] 2015David Alger
Since the early days of Magento, the PHP eCommerce platform has taken the world by storm. As with any new platform, there were growing pains. Five years later, we see the age of Magento 2 dawning upon us. Although not rewritten from the ground up, the architects behind the beast went back to the drawing board to create something innovative. This led to a system with configurable dependency injection, PSR compliance, decoupled modules, native composer support, and a modern tech stack. This talk looks at some ways Magento has improved. You will also learn how to create a plugin in Magento 2.
Gitflow with FME and Autobuilding a Project with the Gitlab Build PipelineSafe Software
FME and git do not work so well together at the moment - but a git workflow is an attractive option when creating FME-based products. Indeed, in some IT companies using git during development is part of the company policy. It is not only using git and the attractive git workflow; Gitlab (and, of course, GitHub) is also a very attractive tool for developers: Gitlab is a server-based solution which provides an ecosystem to support the development process, and it can facilitate tracking issues, and bugs, managing versions, permissions and can even help with auto-building and deploying software.
This presentation will cover the challenges and benefits involved when applying a git-based workflow to FME development and discuss how Gitlab can be used to help run a pipeline to auto-deploy an FME-based project.
Similar to Browser Exploitation Framework Tutorial (20)
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
4. 4
Installation
● Installed by default on Kali
Directions for installing on other types of systems:
● https://github.com/beefproject/beef/wiki/Installation
● http://resources.infosecinstitute.com/beef-part-1/
[see section 2.1]
7. 7
Password
● The default user name / password is beef
● To change the user name / password
cd /etc/beef-xss/
vi config.yaml
# Credentials to authenticate in BeEF. Used by both the
RESTful API and the Admin_UI extension credentials:
user: "beef"
passwd: "beef"
8. 8
Starting BeEF
cd /usr/share/beef-xss
./beef
You will see ==>
● To stop the BeEF server,
press Control+C
● To start the BeEF console,
open a browser
and type one of the IPs
ending in /ui/panel:
http://192.168.15.129:3000/ui/panel
14. 14
Command Line
If you want to write automated scripts that uses the RESTful API, you can issue a POST request to
/api/admin/login using the BeEF credentials you will find in the main config.yaml file, like this curl example:
curl -H "Content-Type: application/json" -X POST -d '{"username":"beefy", "password":"beefy"}'
http://127.0.0.1:3000/api/admin/login
Result shown below (notice token is returned)
15. 15
Running a command
● In the Hooked Browser window, click on an online browser
● Then click on the Commands tab
● Choose a folder in the Module Tree pane, i.e., click the
folder Debug
● Click an action that has a green traffic light in front of it,
i.e., Return Ascii Chars
● In the right-hand pane, click Execute
● Click in the Module Results History pane—the results will
take a minute to show up in Command Results
31. 31
XssRays
BeEF's approach results in false-positive free findings
for cross-site scripting because BeEF must exploit the
XSS to discover the vulnerability.
33. 33
Resources
How to Enable Autorun Modules in BeEF
http://www.subliminalhacking.net/2013/01/03/how-to-autorun-modules-in-beef-
browser-exploitation-framework/
https://www.youtube.com/watch?v=qATHn_iKCas
However: not all modules will autorun