VULNERABILITY DETAILS
Please provide a brief explanation of the security issue.

VERSION
Chrome Version: 58.0.3029.110
Operating System: OSX (same behavior on other OSses)

REPRODUCTION CASE
1. Clone BeEF since the exploit module is already in BeEF from a while:
git clone https://github.com/beefproject/beef.git 

The to start BeEF from a sane Ruby environment:
gem install bundler
bundle install
ruby beef -x 

2. Just run the attached Ruby app, it's a simple Sinatra one with an unfiltered JSONP endpoint and also a page vulnerable to Reflected XSS. For demo purposed, to hook the origin I'm using the /xssstored page rather than then /xss?secret=<> endpoint.

3. After hooking the localhost:4567 origin (the Ruby webapp) on BeEF (which origin is 127.0.0.1:3000), login into BeEF with default creds beef/beef, click on the hooked broser, go on command modules, search for "jsonp" and launch the module. You just want to enter "/vulnjsonp?callback=" in the command module input, since that is the same-origin JSONP unfiltered callback that will be used.

4. If everything worked, the origin is backdoored. 
onFetch is hooked and each response to that affected origin we control via XSS/hook has the body changed and the BeEF hook added to achieve persistence.  

This is probably expected behavior, however a JSONP callback that filters some characters might be helpful to mitigate the issue (until the whole callback can be rewritten via String.fromCharCode or similars :-)

Ruby code and screenshot attached.

 

Deleted: jsonp_ruby_sw.rb 1.8 KB

jsonp_ruby_sw.rb 1.8 KB View Download

Deleted: jsonp_PoC.png 3.5 MB

	jsonp_PoC.png 3.5 MB View Download