JavaScript injection is a powerful technique attackers use to manipulate web pages dynamically as they load in a browser. By intercepting data in a Man-in-the-Middle (MITM) attack, we can inject custom scripts to display alerts, steal data, or modify the content of the page. This blog will demonstrate how to inject a simple JavaScript alert script into web pages using BetterCAP, laying the groundwork for more advanced exploitation techniques.

What You’ll Learn

• Basics of JavaScript injection.
• Configuring BetterCAP for web manipulation.
• Writing and injecting custom JavaScript scripts.
• A live demo using a basic alert popup.

Step 1: Writing the JavaScript Payload

We’ll start by creating a simple JavaScript file that triggers an alert in the target’s browser.

1. Open a text editor on your Kali Linux machine.
2. Write the following JavaScript code:

alert("JavaScript test");

3. Save the file as alert.js in your root directory.

Step 2: Configuring BetterCAP for JavaScript Injection

To inject this script into the target’s browser, we’ll modify the HSTS hijack plugin in BetterCAP.

1. Locate the plugin file:

/usr/share/bettercap/caplets/hsts-hijack.cap

2. Edit the file and add your custom script to the payload section:

* : /root/alert.js

This configuration ensures that alert.js is injected into every web page the target loads.

Step 3: Launching BetterCAP

Run BetterCAP with ARP spoofing to intercept traffic between the target and the network.

1. Start BetterCAP with the following command:

sudo bettercap -iface eth0

2. Launch the HSTS hijack plugin:

caplets.load hsts-hijack

3. The plugin will now inject your JavaScript file into the target’s browser.

Step 4: Testing the Injection

Ask the target to load any webpage. Once the page loads, they’ll see a popup saying “JavaScript test.”

This simple example demonstrates how JavaScript injection works and serves as a foundation for more complex attacks.

Next Steps: Advanced Exploitation

With the basics in place, you can explore advanced JavaScript injections:

• Stealing form data.
• Modifying webpage content dynamically.
• Hooking the target’s browser to frameworks like BeEF.

Conclusion

JavaScript injection is a critical tool in the ethical hacker’s arsenal, helping security professionals understand vulnerabilities in web applications. Tools like BetterCAP make it easy to demonstrate these techniques in a controlled environment.

Stay tuned for more advanced tutorials on browser manipulation and web exploitation techniques.

Connect with Me:

• YouTube ► S3 CloudHub Channel
• Facebook ► S3 CloudHub Page
• Medium ► S3 CloudHub Blog
• Demo Reference ► GitHub Repository
• Blog ► S3 CloudHub Blogspot
• Dev ► S3 CloudHub on Dev.to
• Free Udemy Courses ► Access Free Udemy Coupons