Advisory - Clickjacking Vulnerability in the vulnerability testing framework beef xss framework

I found a security vulnerability in the penetration testing framework -  beef xss framework .

 In case you don't know what it is -

What is BeEF?

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.
Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Please refer to Beef Project for more information.

 

This vulnerability allows any remote attacker to redress his UI on any generic website to make it appear persuasive as to make the victim click anywhere and thus performing an unintended action.

 

The reason being it has missing Frame protection or clickjacking protection in its Control Panel that can be accessed locally on any machine having BeEF framework running .

Here's a working PoC to give an idea of the situation and how it may affect the user/victim -

 

 

 

In case you have Beef XSS Framework running -

http://savanttools.com/test-frame/http://localhost:3000/ui/panel