XSS Shell and Something More
Ferruh Mavituna has released quite intriguing project called XSS Shell. Conceptually XSS Shell is a persistent bi-directional channel that is controlled by a administrative console and can be hooked on any XSS hole; just like Backweb, XSS Proxy and BEEF. with this channel attackers are able to do some quite nasty stuff, like accessing your clipboard (IE only), use your machine to get into your local network, use your network resources to DDoS someone, etc.
Ferruh’s XSS Shell differs from the other frameworks in many different ways. First of all it is written in ASP. Also, it provides mechanisms for extending the server as well as the client functionalities. An online presentation on how to use the framework is also available. Check it out if your are still confused what the fuss is all about.
Although, I quite like the work that has been done on XSS Shell, I have a few remarks. I hope that my message will not be misunderstood.
Ferruh’s XSS Shell is great but it will be even better if less is required to extend the framework. Anyway, check it out. It is a good project and I am definitely looking forward to see how it will develop in the future.
Meanwhile I am busy with a few other projects that will be available quite soon. As you might already know I need to change Backweb’s name to something else. Apparently the name is a registered trademark in US, Europe and Japan. This is quite nasty because I really like this name. I am deciding between the following two options: BACKEND Attack Console or BACKVERSE Attack Console. I have more ideas but they are not that good. If anyone has a good name for this project please don’t hesitate to propose it here on this blog. You will hold the credits for it.