I often get asked why people should care about their web server getting hacked.  The argument for their lack of concern is the fact that their web server isn’t on their corporate network so they are isolated from any potential harm. 

If I were to replace all of the photos on your website with cat memes, would you care?  Take this a step further with something offensive.  So now I have your attention -- or at least I think I do.  It gets worse. 

If your site is vulnerable to cross site scripting, we can do the Internet's version of graffiti.  Pretty simple stuff if you don't sanitize inputs.  Also about as dangerous as cat memes in that we're introducing different content but causing no real harm unless you don't like cats. 

A simple example is this pair of inputs:











Here's a different form but we're basically doing the same thing:







We can take this a step further using the same input fields but instead of harmless text popups, we introduce malicious content.  Now we can do all sorts of nasty things to your visitors.  And assuming your employees visit your website, we are now able to reach into your corporate network.







In the entry field, we're rendering an iframe which references BeEF, the Browser Exploitation Framework.  I'm using BeEF because it has some automated functions that enable me to do a number of tasks that would require more work on my part.  No point in reinventing the wheel.  

So now that we have the browser hooked with BeEF, we can see our zombie host in the console:

Let's say you didn't have XSS vulnerabilities on your site, I could gain access to your site another way and link to the BeEF hook with a simple URL:





One way or another, the browser gets hooked and we have quite a few modules to perform various tasks.
 




The operating system I have hooked is a fully patched Windows 10 box using the latest versions of Chrome, Firefox and Internet Explorer.  In addition, the system is running current antivirus.  Some functions work, some functions don't.  There are various reasons why certain functions don't work -- the antivirus, the specific browser, and the operating system, to name a few.  

With our browser hooked, let's see if there's a popup blocker:









That would be a big yes.  

Let's get malicious with a meterpreter shell:





Can i push my shell as a fake ("required") plugin:







Yes, I can.  But Chrome prevented me from accessing it.

How about Firefox?   









Why yes, Firefox let me serve it up and download it.  

Maybe you're thinking someone would notice that it's a weird looking executable.  True but maybe I remove an image from the website, incorporate a flash logo, and then I push a shell but this time it's titled:  flashplayer31_ka_install.exe

I won't get everyone but I'll get someone.  The above is quick and dirty but with some time, I could clean this up and make it very convincing.