Merge branch 'master' into red/dev

Merge pull request #3483 from beefproject/dependabot/bundler/sqlite3-2.9.0
Bump sqlite3 from 2.8.1 to 2.9.0
2025-12-30 11:18:26 +10:00 · 2025-12-29 13:04:36 +00:00 · 2025-12-29 13:02:17 +00:00 · 2025-12-26 19:35:25 +10:00 · 2025-12-26 19:18:05 +10:00 · 2025-12-25 13:04:20 +00:00
1670 changed files with 109693 additions and 43281 deletions
--- a/.bundle/config
+++ b/.bundle/config
@@ -0,0 +1,3 @@
 ---
 BUNDLE_WITHOUT: "development:test"
 BUNDLE_WITH: "geoip:ext_msf:ext_notifications:ext_dns:ext_qrcode"
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,8 @@
 # Don't copy over git files
 .git
 .github
 .gitignore
 doc
 docs
 test
 update-beef
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -0,0 +1,84 @@
 # Contributing
 ### Anyone is welcome to make BeEF better!
 Thank you for wanting to contribute to BeEF. It's effort like yours that helps make BeEF such a great tool.
 Following these guidelines shows that you respect the time of the developers developing this open source project and helps them help you. In response to this, they should return that respect in addressing your issue, assisting with changes, and helping you finalize your pull requests.
 ###  We want any form of helpful contributions!
 BeEF is an open source project and we love to receive contributions from the community! There are many ways to contribute, from writing tutorials or blog posts, improving or translating the documentation, answering questions on the project, submitting bug reports and feature requests or writing or reviewing code which can be merged into BeEF itself.
 # Ground Rules
 ###  Responsibilities
 > * When making an issue, ensure the issue template is filled out, failure to do so can and will result in a closed ticket and a delay in support.
 > * We now have a two-week of unresponsiveness period before closing a ticket, if this happens, just comment responding to the issue which will re-open the ticket. Ensure to make sure all information requested is provided.
 > * Ensure cross-platform compatibility for every change that's accepted. Mac and Linux are currently supported.
 > * Create issues for any major changes and enhancements that you wish to make. Discuss things transparently and get community feedback.
 > * Ensure language is as respectful and appropriate as possible. 
 > * Keep merges as straightforward as possible, only address one issue per commit where possible.
 > * Be welcoming to newcomers and try to assist where possible, everyone needs help. 
 # Where to start
 ### Looking to make your first contribution 
 Unsure where to begin contributing to BeEF? You can start by looking through these issues:
 * Good First Issue - issues which should only require a few changes, and are good to start with.
 * Question - issues which are a question and need a response. A good way to learn more about BeEF is to try to solve a problem.
 At this point, you're ready to make your changes! Feel free to ask for help; everyone is a beginner at first.
 If a maintainer asks you to "rebase" your PR, they're saying that code has changed, and that you need to update your branch so it's easier to merge.
 ### Ruby best practise 
 Do read through: https://rubystyle.guide
 Try and follow through with the practices throughout, even going through it once will help keep the codebase consistent.
 Use Rubocop to help ensure that the changes adhere to current standards, we are currently catching up old codebase to match.
 Just run the following in the /beef directory.
 > rubocop
 # Getting started
 ### How to submit a contribution.
 1. Create your own fork of the code
 2. Checkout the master branch
 > git checkout master
 3. Create a new branch for your feature
 > git checkout -b my-cool-new-feature
 4. Add your new files
 > git add modules/my-cool-new-module
 5. Modify or write a test case/s in Rspec for your changes
 6. Commit your changes with a relevant message
 > git commit
 7. Push your changes to GitHub
 > git push origin my-cool-new-feature
 8. Run all tests again to make sure they all pass
 9. Edit existing wiki page / add a new one explaining the new features, including:
 	- sample usage (command snippets, steps and/or screenshots)
 	- internal working (code snippets & explanation)
 10. Now browse to the following URL and create your pull request from your fork to beef master
    - Fill out the Pull Request Template
    - https://github.com/beefproject/beef/pulls
 # How to report a bug
 If you find a security vulnerability, do NOT open an issue. Email security@beefproject.com instead.
 When the security team receives a security bug email, they will assign it to a primary handler.
 This person will coordinate the fix and release process, involving the following steps:
 * Confirm the problem and find the affected versions.
 * Audit code to find any potential similar problems.
 * Prepare fixes
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,49 +0,0 @@
 Verify first that your issue/request has not been posted previously:
 * https://github.com/beefproject/beef/issues
 * https://github.com/beefproject/beef/wiki/FAQ
 Ensure you're using the [latest version of BeEF](https://github.com/beefproject/beef/releases/tag/beef-0.4.7.2).
 #### Environment
 What version/revision of BeEF are you using?
 On what version of Ruby?
 On what browser?
 On what operating system?
 #### Configuration
 Are you using a non-default configuration?
 Have you enabled or disabled any BeEF extensions?
 #### Summary
 Please provide a summary of the issue.
 #### Expected Behaviour
 What was the expected result?
 #### Actual Behaviour
 What was the actual result?
 #### Steps to Reproduce
 Please provide steps to reproduce this issue.
 #### Additional Information
 Please provide any additional information which may be useful in resolving this issue, such as debugging output and relevant screen shots. Debug output can be enabled by specifying `debug: true` in the `config.yaml` configuration file.
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,37 @@
 ---
 name: Bug report
 about: Report a bug to help us improve BeEF
 ---
 ## First Steps
 1. Confirm that your issue has not been posted previously by searching here: https://github.com/beefproject/beef/issues
 2. Confirm that the wiki does not contain the answers you seek: https://github.com/beefproject/beef/wiki
 3. Check the FAQ: https://github.com/beefproject/beef/wiki/FAQ
 4. BeEF Version:
 5. Ruby Version:
 6. Browser Details (e.g. Chrome v81.0):
 7. Operating System (e.g. OSX Catalina):
 ## Configuration
 1. Have you made any changes to your BeEF configuration? Yes/No
 2. Have you enabled or disabled any BeEF extensions? Yes/No
 ## Steps to Reproduce
 1. (eg. I ran install script, which ran fine)
 2. (eg. when launching console with './beef' I get an error as follows: <error here>)
 3. (eg. beef does not launch)
 ## How to enable and capture detailed logging
 1. Edit `config.yaml` in the root directory
   * If using Kali **beef-xss** the root dir will be  `/usr/share/beef-xss`
 2. Update `client_debug` to `true`
 3. Retrieve browser logs from your browser's developer console (Ctrl + Shift + I or F12 depending on browser)
 4. Retrieve your server-side logs from `~/.beef/beef.log`
   * If you have a kali (beef-xss) problem, you can submit a bug here:
     https://www.kali.org/docs/community/submitting-issues-kali-bug-tracker/
 **If we request additional information and we don't hear back from you within a week, we will be closing the ticket off.**
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
 blank_issues_enabled: false
 contact_links:
  - name: Questions / Support
    url: https://github.com/beefproject/beef/wiki
    about: Please check the wiki before opening an issue.
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,20 @@
 # Pull Request
 Thanks for submitting a PR! Please fill in this template where appropriate:
 ## Category
 *e.g. Bug, Module, Extension, Core Functionality, Documentation, Tests*
 ## Feature/Issue Description
 **Q:** Please give a brief summary of your feature/fix
 **A:**
 **Q:** Give a technical rundown of what you have changed (if applicable)
 **A:**
 ## Test Cases
 **Q:** Describe your test cases, what you have covered and if there are any use cases that still need addressing.
 **A:**
 ## Wiki Page
 *If you are adding a new feature that is not easily understood without context, please draft a section to be added to the Wiki below.*
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -0,0 +1,9 @@
 send security bug reports to security@beefproject.com
 **A security report should include:**
 1. Description of the problem (what it is, what's the impact)
 2. Technical steps to replicate it (commands / screenshots)
 3. Actionable fix/recommendations to mitigate the issue
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,25 @@
 version: 2
 updates:
 - package-ecosystem: npm
  directory: "/"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
  ignore:
  - dependency-name: jsdoc-to-markdown
    versions:
    - 7.0.0
 - package-ecosystem: bundler
  directory: "/"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
  ignore:
  - dependency-name: rubocop
    versions:
    - 1.10.0
    - 1.11.0
    - 1.12.0
    - 1.12.1
    - 1.9.0
    - 1.9.1
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,72 @@
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 #
 # ******** NOTE ********
 # We have attempted to detect the languages in your repository. Please check
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
 name: "CodeQL"
 on:
  push:
    branches: [ master ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ master ]
  schedule:
    - cron: '36 1 * * 0'
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript', 'ruby' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
    steps:
    - name: Checkout repository
      uses: actions/checkout@v3
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        queries: security-extended,security-and-quality
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    # - name: Autobuild
    #  uses: github/codeql-action/autobuild@v2
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
    # - run: |
    #   echo "Run, Build Application using script"
    #   ./location_of_script_within_repo/buildscript.sh
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,26 @@
 name: Dependabot auto-merge
 on: 
  pull_request:
    branches:
        - master
 permissions:
  contents: write
  pull-requests: write
 jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'beefproject/beef'
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v2
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        if: success() && (steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.update-type == 'version-update:semver-patch')
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/github_actions.yml
+++ b/.github/workflows/github_actions.yml
@@ -0,0 +1,55 @@
 name: 'BrowserStack Test'
 on:
  pull_request_target:
    branches: [ master ]
 jobs:    
  ubuntu-job:
    name: 'BrowserStack Test on Ubuntu'
    runs-on: ubuntu-latest  # Can be self-hosted runner also
    environment:
      name: Integrate Pull Request
    env: 
      GITACTIONS: true
    steps:
      - name: 'BrowserStack Env Setup'  # Invokes the setup-env action
        uses: browserstack/github-actions/setup-env@master
        with:
          username:  ${{ secrets.BROWSERSTACK_USERNAME }}
          access-key: ${{ secrets.BROWSERSTACK_ACCESS_KEY }}
      - name: 'BrowserStack Local Tunnel Setup'  # Invokes the setup-local action
        uses: browserstack/github-actions/setup-local@master
        with:
          local-testing: start
          local-identifier: random
      - name: 'Checkout the repository'
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 2
      - name: 'Setting up Ruby'
        uses: ruby/setup-ruby@v1
        # Ruby version is defined in .ruby-version file
      - name: 'Update and Install Dependencies'
        run: |
          sudo apt update
          sudo apt install libcurl4 libcurl4-openssl-dev
      - name: 'Configure Bundle testing and install gems'
        run: |
          bundle config unset --local without
          bundle config set --local with 'test' 'development'
          bundle install
      - name: 'Run BrowserStack simple verification'
        run: |
          bundle exec rake browserstack --trace
      - name: 'BrowserStackLocal Stop'  # Terminating the BrowserStackLocal tunnel connection
        uses: browserstack/github-actions/setup-local@master
        with:
          local-testing: stop
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,35 @@
 # This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time.
 #
 # You can adjust the behavior by modifying this file.
 # For more information, see:
 # https://github.com/actions/stale
 name: Mark stale issues and pull requests
 on:
  schedule:
  - cron: '5 * * * *'
 jobs:
  stale:
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
    - uses: actions/stale@v5
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        days-before-stale: 14
        days-before-pr-stale: 29
        days-before-close: 11
        days-before-pr-close: 31
        stale-issue-message: 'This issue as been marked as stale due to inactivity and will be closed in 7 days'
        stale-pr-message: 'Stale pull request message'
        stale-issue-label: 'Stale'
        stale-pr-label: 'no-pr-activity'
        exempt-issue-labels: 'Critical, High, Low, Medium, Review, Backlog'
        exempt-milestones: true
        exempt-draft-pr: true
        start-date: '2022-06-15'
--- a/.gitignore
+++ b/.gitignore
@@ -1,16 +1,35 @@
 ### BeEF ###
 beef.db
 beef.db-shm
 beef.db-wal
 beef.log
 test/msf-test
 extensions/admin_ui/media/javascript-min/
 custom-config.yaml
 .DS_Store
 .gitignore
 .rvmrc
 beef.log
 *.lock
 extensions/metasploit/msf-exploits.cache
 # ruby debugging
 .byebug_history
 # Bundler
 /.bundle
 /vendor
 #simplecov
 coverage/
 # BrowserStack
 local.log
 # Visual Studio Code
 .vscode/
 # The following lines were created by https://www.gitignore.io
 ### Linux ###
@@ -104,3 +123,14 @@ $RECYCLE.BIN/
 test/thirdparty/msf/unit/.byebug_history
 /load
 ### JSDoc ###
 # Dependency directories
 node_modules/
 # Generated files
 out/
 doc/rdoc/
 # Secrets for testing github actions locally
 .secrets
--- a/.rspec
+++ b/.rspec
@@ -0,0 +1,4 @@
 --format documentation
 --color
 --require spec_helper
 -I .
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -4,21 +4,39 @@ AllCops:
    - 'tmp/**/*'
    - 'tools/**/*'
    - 'doc/**/*'
-  TargetRubyVersion: 2.4
+  TargetRubyVersion: <%= File.read(".ruby-version").strip[/^(\d+\.\d+)/, 1] || raise("Ruby version not found") %>
  NewCops: enable
 Layout/LineLength:
  Enabled: true
  Max: 180
 Metrics/AbcSize:
  Enabled: false
 Metrics/BlockLength:
  Enabled: false
 Metrics/ClassLength:
  Enabled: false
-Metrics/LineLength:
+
  Enabled: false
 Metrics/MethodLength:
  Enabled: false
 Metrics/ModuleLength:
  Enabled: false
 Metrics/PerceivedComplexity:
  Enabled: false
 Metrics/CyclomaticComplexity:
  Enabled: false
 Naming/ClassAndModuleCamelCase:
  Enabled: false
 Style/FrozenStringLiteralComment:
  Enabled: false
 Style/Documentation:
  Enabled: false
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-2.5.3
+3.4.7
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,23 +0,0 @@
 language: ruby
 rvm:
  - 2.4.0
  - 2.5.0
  - 2.6.0
 env:
  - "BEEF_TEST=true"
 notifications:
  email:
    recipients:
      - wade@bindshell.net
    on_success: always
    on_failure: always
 addons:
  apt:
    packages:
      - libsqlite3-dev
      - build-essential
      - patch
      - ruby-dev
      - zlib1g-dev
      - liblzma-dev
      - libcurl4-openssl-dev
--- a/98
+++ b/98
@@ -0,0 +1,98 @@
 #
 # Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
 # Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 ###########################################################################################################
 ###########################################################################################################
 ##                                                                                                       ##
 ##   Please read the Wiki Installation section on set-up using Docker prior to building this container.  ##
 ##   BeEF does NOT allow authentication with default credentials. So please, at the very least           ##
 ##   change the username:password in the config.yaml file to something secure that is not beef:beef      ##
 ##   before building or you will be denied access and have to rebuild anyway.                            ##
 ##                                                                                                       ##
 ###########################################################################################################
 ###########################################################################################################
 # ---------------------------- Start of Builder 0 - Gemset Build ------------------------------------------
 FROM ruby:3.4.7-slim-bookworm AS builder
 COPY . /beef
 # Set gemrc config to install gems without Ruby Index (ri) and Ruby Documentation (rdoc) files.
 # Then add bundler/gem dependencies and install.
 # Finally change permissions of bundle installs so we don't need to run as root.
 RUN echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
 && apt-get update \
 && apt-get install -y --no-install-recommends \
    git \
    curl \
    libssl-dev \
    xz-utils \
    pkg-config \
    make \
    g++ \
    libcurl4-openssl-dev \
    ruby-dev \
    libyaml-dev \
    libffi-dev \
    zlib1g-dev \
    libsqlite3-dev \
    sqlite3 \
 && bundle install --gemfile=/beef/Gemfile --jobs=`nproc` \
 && rm -rf /usr/local/bundle/cache \
 && chmod -R a+r /usr/local/bundle \
 && rm -rf /var/lib/apt/lists/*
 # ------------------------------------- End of Builder 0 -------------------------------------------------
 # ---------------------------- Start of Builder 1 - Final Build ------------------------------------------
 FROM ruby:3.4.7-slim-bookworm
 LABEL maintainer="Beef Project" \
      source_url="github.com/beefproject/beef" \
      homepage="https://beefproject.com/"
 # BeEF UI/Hook port
 ARG UI_PORT=3000
 ARG PROXY_PORT=6789
 ARG WEBSOCKET_PORT=61985
 ARG WEBSOCKET_SECURE_PORT=61986
 # Create service account to run BeEF and install BeEF's runtime dependencies
 RUN adduser --home /beef --gecos beef --disabled-password beef \
 && apt-get update \
 && apt-get install -y --no-install-recommends \
    curl \
    wget \
    espeak \
    lame \
    openssl \
    libreadline-dev \
    libyaml-dev \
    libxml2-dev \
    libxslt-dev \
    libncurses5-dev \
    libsqlite3-dev \
    sqlite3 \
    zlib1g \
    bison \
    nodejs \
 && apt-get -y clean \
 && rm -rf /var/lib/apt/lists/*
 # Use gemset created by the builder above
 COPY --chown=beef:beef . /beef
 COPY --from=builder /usr/local/bundle /usr/local/bundle
 # Ensure we are using our service account by default
 USER beef
 # Expose UI, Proxy, WebSocket server, and WebSocketSecure server ports
 EXPOSE $UI_PORT $PROXY_PORT $WEBSOCKET_PORT $WEBSOCKET_SECURE_PORT
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "curl", "-fS", "localhost:$UI_PORT" ]
 WORKDIR /beef
 ENTRYPOINT ["/beef/beef"]
 # ------------------------------------- End of Builder 1 -------------------------------------------------
--- a/121
+++ b/121
@@ -1,101 +1,90 @@
 # BeEF's Gemfile
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
-gem 'eventmachine'
+gem 'net-smtp', require: false
 gem 'thin'
 gem 'sinatra', '~> 2.0'
 gem 'rack', '~> 2.0'
 gem 'rack-protection', '~> 2.0'
 gem 'em-websocket' # WebSocket support
 gem 'uglifier'
 gem 'mime-types'
 gem 'execjs'
 gem 'ansi'
 gem 'term-ansicolor', :require => 'term/ansicolor'
 gem 'dm-core'
 gem 'json'
 gem 'data_objects'
 gem 'rubyzip', '>= 1.2.2'
 gem 'espeak-ruby', '>= 1.0.4' # Text-to-Voice
 gem 'nokogiri', '>= 1.7'
 gem 'rake'
-# SQLite support
+gem 'eventmachine', '~> 1.2', '>= 1.2.7'
-group :sqlite do
+gem 'thin', '~> 2.0'
-  gem 'dm-sqlite-adapter'
+gem 'sinatra', '~> 4.1'
-end
+gem 'rack', '~> 3.2'
-
+gem 'rack-protection', '~> 4.2.1'
-# PostgreSQL support
+gem 'em-websocket', '~> 0.5.3' # WebSocket support
-group :postgres do
+gem 'uglifier', '~> 4.2'
-  #gem dm-postgres-adapter
+gem 'mime-types', '~> 3.7'
-end
+gem 'execjs', '~> 2.10'
-
+gem 'ansi', '~> 1.5'
-# MySQL support
+gem 'term-ansicolor', :require => 'term/ansicolor'
-group :mysql do
+gem 'rubyzip', '~> 3.2'
-  #gem dm-mysql-adapter
+gem 'espeak-ruby', '~> 1.1.0' # Text-to-Voice
-end
+gem 'rake', '~> 13.3'
 gem 'activerecord', '~> 8.1'
 gem 'otr-activerecord', '~> 2.6.0'
 gem 'sqlite3', '~> 2.9'
 gem 'rubocop', '~> 1.82.1', require: false
 # Geolocation support
 group :geoip do
-  gem 'maxmind-db'
+  gem 'maxmind-db', '~> 1.4'
 end
-gem 'parseconfig'
+gem 'parseconfig', '~> 1.1', '>= 1.1.2'
-gem 'erubis'
+gem 'erubis', '~> 2.7'
 gem 'dm-migrations'
 # Metasploit Integration extension
 group :ext_msf do
-  gem 'msfrpc-client'
+  gem 'msfrpc-client', '~> 1.1', '>= 1.1.2'
-  gem 'xmlrpc'
+  gem 'xmlrpc', '~> 0.3.3'
 end
 # Notifications extension
 group :ext_notifications do
  # Pushover
-  gem 'rushover'
+  gem 'rushover', '~> 0.3.0'
  # Slack
-  gem 'slack-notifier'
+  gem 'slack-notifier', '~> 2.4'
  # Twitter
  gem 'twitter', '>= 5.0.0'
 end
 # DNS extension
 group :ext_dns do
-  gem 'rubydns', '~> 0.7.3'
+  gem 'async-dns', '~> 1.4'
  gem 'async', '~> 1.32'
 end
 # QRcode extension
 group :ext_qrcode do
-  gem 'qr4r'
+  gem 'qr4r', '~> 0.6.1'
 end
 # For running unit tests
 group :test do
-  if ENV['BEEF_TEST']
+  gem 'test-unit-full', '~> 0.0.5'
-    gem 'test-unit'
+  gem 'rspec', '~> 3.13'
-    gem 'test-unit-full'
+  gem 'rdoc', '~> 7.0'
-    gem 'rspec'
+  gem 'browserstack-local', '~> 1.4'
-	gem 'rdoc'
+
-    # curb gem requires curl libraries
+  gem 'irb', '~> 1.16'
-    # sudo apt-get install libcurl4-openssl-dev
+  gem 'pry-byebug', '~> 3.11'
-    gem 'curb'
+
-    # selenium-webdriver 3.x is incompatible with Firefox version 48 and prior
+  gem 'rest-client', '~> 2.1.0'
-    gem 'selenium'
+  gem 'websocket-client-simple', '~> 0.6.1'
-    gem 'selenium-webdriver', '~> 2.53.4'
+
-    # nokogirl is needed by capybara which may require one of the below commands
+  # Note: curb gem requires curl libraries
-    # sudo apt-get install libxslt-dev libxml2-dev
+  # sudo apt-get install libcurl4-openssl-dev
-    # sudo port install libxml2 libxslt
+  gem 'curb', '~> 1.2'
-    gem 'capybara'
+
-    # RESTful API tests/generic command module tests
+  # Note: selenium-webdriver 3.x is incompatible with Firefox version 48 and prior
-    gem 'rest-client', '>= 2.0.1'
+  # gem 'selenium' # Requires old version of selenium which is no longer available
-    gem 'byebug'
+  gem 'geckodriver-helper', '~> 0.24.0'
-  end
+  gem 'selenium-webdriver', '~> 4.39'
  # Note: nokogiri is needed by capybara which may require one of the below commands
  # sudo apt-get install libxslt-dev libxml2-dev
  # sudo port install libxml2 libxslt
  gem 'capybara', '~> 3.40'
 end
 source 'https://rubygems.org'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -0,0 +1,346 @@
 GEM
  remote: https://rubygems.org/
  specs:
    activemodel (8.1.1)
      activesupport (= 8.1.1)
    activerecord (8.1.1)
      activemodel (= 8.1.1)
      activesupport (= 8.1.1)
      timeout (>= 0.4.0)
    activesupport (8.1.1)
      base64
      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.3.1)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      json
      logger (>= 1.4.2)
      minitest (>= 5.1)
      securerandom (>= 0.3)
      tzinfo (~> 2.0, >= 2.0.5)
      uri (>= 0.13.1)
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    ansi (1.5.0)
    archive-zip (0.13.1)
      io-like (~> 0.4.0)
    ast (2.4.3)
    async (1.32.1)
      console (~> 1.10)
      nio4r (~> 2.3)
      timers (~> 4.1)
    async-dns (1.4.1)
      async
      io-endpoint
    base64 (0.3.0)
    bigdecimal (3.3.1)
    browserstack-local (1.4.3)
    byebug (12.0.0)
    capybara (3.40.0)
      addressable
      matrix
      mini_mime (>= 0.1.3)
      nokogiri (~> 1.11)
      rack (>= 1.6.0)
      rack-test (>= 0.6.3)
      regexp_parser (>= 1.5, < 3.0)
      xpath (~> 3.2)
    coderay (1.1.3)
    concurrent-ruby (1.3.5)
    connection_pool (2.5.4)
    console (1.34.0)
      fiber-annotation
      fiber-local (~> 1.1)
      json
    curb (1.2.2)
    daemons (1.4.1)
    date (3.5.1)
    diff-lcs (1.6.2)
    domain_name (0.6.20240107)
    drb (2.2.3)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    erb (6.0.1)
    erubis (2.7.0)
    espeak-ruby (1.1.0)
    event_emitter (0.2.6)
    eventmachine (1.2.7)
    execjs (2.10.0)
    fiber-annotation (0.2.0)
    fiber-local (1.1.0)
      fiber-storage
    fiber-storage (1.0.1)
    geckodriver-helper (0.24.0)
      archive-zip (~> 0.7)
    http-accept (1.7.0)
    http-cookie (1.0.8)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
    io-console (0.8.2)
    io-endpoint (0.15.2)
    io-like (0.4.0)
    irb (1.16.0)
      pp (>= 0.6.0)
      rdoc (>= 4.0.0)
      reline (>= 0.4.2)
    json (2.18.0)
    language_server-protocol (3.17.0.5)
    lint_roller (1.1.0)
    logger (1.7.0)
    matrix (0.4.3)
    maxmind-db (1.4.0)
    method_source (1.1.0)
    mime-types (3.7.0)
      logger
      mime-types-data (~> 3.2025, >= 3.2025.0507)
    mime-types-data (3.2025.0902)
    mini_mime (1.1.5)
    minitest (5.26.1)
    mojo_magick (0.6.8)
    msfrpc-client (1.1.2)
      msgpack (~> 1)
    msgpack (1.8.0)
    mustermann (3.0.4)
      ruby2_keywords (~> 0.0.1)
    net-protocol (0.2.2)
      timeout
    net-smtp (0.5.1)
      net-protocol
    netrc (0.11.0)
    nio4r (2.7.4)
    nokogiri (1.18.9-aarch64-linux-gnu)
      racc (~> 1.4)
    nokogiri (1.18.9-aarch64-linux-musl)
      racc (~> 1.4)
    nokogiri (1.18.9-arm-linux-gnu)
      racc (~> 1.4)
    nokogiri (1.18.9-arm-linux-musl)
      racc (~> 1.4)
    nokogiri (1.18.9-arm64-darwin)
      racc (~> 1.4)
    nokogiri (1.18.9-x86_64-darwin)
      racc (~> 1.4)
    nokogiri (1.18.9-x86_64-linux-gnu)
      racc (~> 1.4)
    nokogiri (1.18.9-x86_64-linux-musl)
      racc (~> 1.4)
    otr-activerecord (2.6.0)
      activerecord (>= 6.0, < 9.0)
    parallel (1.27.0)
    parseconfig (1.1.2)
    parser (3.3.10.0)
      ast (~> 2.4.1)
      racc
    power_assert (2.0.5)
    pp (0.6.3)
      prettyprint
    prettyprint (0.2.0)
    prism (1.7.0)
    pry (0.15.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.11.0)
      byebug (~> 12.0)
      pry (>= 0.13, < 0.16)
    psych (5.3.1)
      date
      stringio
    public_suffix (6.0.2)
    qr4r (0.6.2)
      mojo_magick (~> 0.6.5)
      rqrcode_core (~> 1.0)
    racc (1.8.1)
    rack (3.2.4)
    rack-protection (4.2.1)
      base64 (>= 0.1.0)
      logger (>= 1.6.0)
      rack (>= 3.0.0, < 4)
    rack-session (2.1.1)
      base64 (>= 0.1.0)
      rack (>= 3.0.0)
    rack-test (2.2.0)
      rack (>= 1.3)
    rainbow (3.1.1)
    rake (13.3.1)
    rdoc (7.0.3)
      erb
      psych (>= 4.0.0)
      tsort
    regexp_parser (2.11.3)
    reline (0.6.3)
      io-console (~> 0.5)
    rest-client (2.1.0)
      http-accept (>= 1.7.0, < 2.0)
      http-cookie (>= 1.0.2, < 2.0)
      mime-types (>= 1.16, < 4.0)
      netrc (~> 0.8)
    rexml (3.4.4)
    rqrcode_core (1.2.0)
    rr (3.1.2)
    rspec (3.13.2)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
    rspec-core (3.13.6)
      rspec-support (~> 3.13.0)
    rspec-expectations (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-mocks (3.13.6)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-support (3.13.6)
    rubocop (1.82.1)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
      lint_roller (~> 1.1.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 2.9.3, < 3.0)
      rubocop-ast (>= 1.48.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
    rubocop-ast (1.48.0)
      parser (>= 3.3.7.2)
      prism (~> 1.4)
    ruby-progressbar (1.13.0)
    ruby2_keywords (0.0.5)
    rubyzip (3.2.2)
    rushover (0.3.0)
      json
      rest-client
    securerandom (0.4.1)
    selenium-webdriver (4.39.0)
      base64 (~> 0.2)
      logger (~> 1.4)
      rexml (~> 3.2, >= 3.2.5)
      rubyzip (>= 1.2.2, < 4.0)
      websocket (~> 1.0)
    sinatra (4.2.1)
      logger (>= 1.6.0)
      mustermann (~> 3.0)
      rack (>= 3.0.0, < 4)
      rack-protection (= 4.2.1)
      rack-session (>= 2.0.0, < 3)
      tilt (~> 2.0)
    slack-notifier (2.4.0)
    sqlite3 (2.9.0-aarch64-linux-gnu)
    sqlite3 (2.9.0-aarch64-linux-musl)
    sqlite3 (2.9.0-arm-linux-gnu)
    sqlite3 (2.9.0-arm-linux-musl)
    sqlite3 (2.9.0-arm64-darwin)
    sqlite3 (2.9.0-x86_64-darwin)
    sqlite3 (2.9.0-x86_64-linux-gnu)
    sqlite3 (2.9.0-x86_64-linux-musl)
    stringio (3.2.0)
    sync (0.5.0)
    term-ansicolor (1.11.3)
      tins (~> 1)
    test-unit (3.7.0)
      power_assert
    test-unit-context (0.5.1)
      test-unit (>= 2.4.0)
    test-unit-full (0.0.5)
      test-unit
      test-unit-context
      test-unit-notify
      test-unit-rr
      test-unit-runner-tap
    test-unit-notify (1.0.4)
      test-unit (>= 2.4.9)
    test-unit-rr (1.0.5)
      rr (>= 1.1.1)
      test-unit (>= 2.5.2)
    test-unit-runner-tap (1.1.2)
      test-unit
    thin (2.0.1)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      logger
      rack (>= 1, < 4)
    tilt (2.6.1)
    timeout (0.4.4)
    timers (4.4.0)
    tins (1.43.0)
      bigdecimal
      sync
    tsort (0.2.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    uglifier (4.2.1)
      execjs (>= 0.3.0, < 3)
    unicode-display_width (3.2.0)
      unicode-emoji (~> 4.1)
    unicode-emoji (4.2.0)
    uri (1.1.1)
    webrick (1.9.1)
    websocket (1.2.11)
    websocket-client-simple (0.6.1)
      event_emitter
      websocket
    xmlrpc (0.3.3)
      webrick
    xpath (3.2.0)
      nokogiri (~> 1.8)
 PLATFORMS
  aarch64-linux-gnu
  aarch64-linux-musl
  arm-linux-gnu
  arm-linux-musl
  arm64-darwin
  x86_64-darwin
  x86_64-linux-gnu
  x86_64-linux-musl
 DEPENDENCIES
  activerecord (~> 8.1)
  ansi (~> 1.5)
  async (~> 1.32)
  async-dns (~> 1.4)
  browserstack-local (~> 1.4)
  capybara (~> 3.40)
  curb (~> 1.2)
  em-websocket (~> 0.5.3)
  erubis (~> 2.7)
  espeak-ruby (~> 1.1.0)
  eventmachine (~> 1.2, >= 1.2.7)
  execjs (~> 2.10)
  geckodriver-helper (~> 0.24.0)
  irb (~> 1.16)
  json
  maxmind-db (~> 1.4)
  mime-types (~> 3.7)
  msfrpc-client (~> 1.1, >= 1.1.2)
  net-smtp
  otr-activerecord (~> 2.6.0)
  parseconfig (~> 1.1, >= 1.1.2)
  pry-byebug (~> 3.11)
  qr4r (~> 0.6.1)
  rack (~> 3.2)
  rack-protection (~> 4.2.1)
  rake (~> 13.3)
  rdoc (~> 7.0)
  rest-client (~> 2.1.0)
  rspec (~> 3.13)
  rubocop (~> 1.82.1)
  rubyzip (~> 3.2)
  rushover (~> 0.3.0)
  selenium-webdriver (~> 4.39)
  sinatra (~> 4.1)
  slack-notifier (~> 2.4)
  sqlite3 (~> 2.9)
  term-ansicolor
  test-unit-full (~> 0.0.5)
  thin (~> 2.0)
  uglifier (~> 4.2)
  websocket-client-simple (~> 0.6.1)
  xmlrpc (~> 0.3.3)
 BUNDLED WITH
   2.7.2
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -1,7 +1,7 @@
 ===============================================================================
-    Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+    Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-    Browser Exploitation Framework (BeEF) - http://beefproject.com
+    Browser Exploitation Framework (BeEF) - https://beefproject.com
    See the file 'doc/COPYING' for copying permission
 ===============================================================================
@@ -21,9 +21,9 @@ Or cloning the Git repository from Github:
 Prerequisites
 --------------
-BeEF requires Ruby 2.4+.
+BeEF requires Ruby 3.0+.
-If your operating system package manager does not support Ruby version 2.4,
+If your operating system package manager does not support Ruby version 3.0,
 you can add the brightbox ppa repository for the latest version of Ruby:
  $ sudo apt-add-repository -y ppa:brightbox/ruby-ng
@@ -67,5 +67,11 @@ it's best to regularly update BeEF to the latest version.
 If you're using BeEF from the GitHub repository, updating is as simple as:
-  $ git pull
+  $ ./update-beef
 Or pull the latest repo yourself and then update the gems with:
  $ git pull
  $ bundle
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 ===============================================================================
-    Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+    Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-    Browser Exploitation Framework (BeEF) - http://beefproject.com
+    Browser Exploitation Framework (BeEF) - https://beefproject.com
    See the file 'doc/COPYING' for copying permission
 ===============================================================================
@@ -28,21 +28,19 @@ __Bugs:__ https://github.com/beefproject/beef/issues
 __Security Bugs:__ security@beefproject.com
-__IRC:__ ircs://irc.freenode.net/beefproject
+__Twitter:__ [@beefproject](https://twitter.com/beefproject)
 __Twitter:__ @beefproject
 __Discord:__ https://discord.gg/25wT2P8pwx
 Requirements
 ------------
 * Operating System: Mac OSX 10.5.0 or higher / modern Linux. Note: Windows is not supported.
-* [Ruby](http://ruby-lang.org): 2.4 or newer
+* [Ruby](https://www.ruby-lang.org): 3.0 or newer
 * [SQLite](http://sqlite.org): 3.x
-* [Node.js](https://nodejs.org): 6 or newer
+* [Node.js](https://nodejs.org): 10 or newer
 * The gems listed in the Gemfile: https://github.com/beefproject/beef/blob/master/Gemfile
-* Selenium is required on OSX: brew install selenium-server-standalone (See https://github.com/shvets/selenium)
+* Selenium is required on OSX: `brew install selenium-server-standalone` (See https://github.com/shvets/selenium)
 Quick Start
 -----------
@@ -55,13 +53,19 @@ The `install` script installs the required operating system packages and all the
 $ ./install
 ```
-For full installation details, please refer to [INSTALL.txt](https://github.com/beefproject/beef/blob/master/INSTALL.txt).
+For full installation details, please refer to [INSTALL.txt](https://github.com/beefproject/beef/blob/master/INSTALL.txt) or the [Installation](https://github.com/beefproject/beef/wiki/Installation) page on the wiki.
 We also have an [Installation](https://github.com/beefproject/beef/wiki/Installation) page on the wiki.
 Upon successful installation, be sure to read the [Configuration](https://github.com/beefproject/beef/wiki/Configuration) page on the wiki for important details on configuring and securing BeEF.
 Documentation
 ---
 * [User Guide](https://github.com/beefproject/beef/wiki#user-guide)
 * [Frequently Asked Questions](https://github.com/beefproject/beef/wiki/FAQ)
 * [JSdocs](https://beefproject.github.io/beef/index.html)
 Usage
 -----
--- a/155
+++ b/155
@@ -1,64 +1,41 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
-require 'yaml'
+require 'rspec/core/rake_task'
 #require 'pry-byebug'
-task :default => ["quick"]
+task :default => ["short"]
-desc "Run quick tests"
+RSpec::Core::RakeTask.new(:short) do |task|
-task :quick do
+  task.rspec_opts = ['--tag ~run_on_browserstack', '--tag ~run_on_long_tests']
  Rake::Task['unit'].invoke # run unit tests
 end
-desc "Run all tests"
+RSpec::Core::RakeTask.new(:long) do |task|
-task :all do
+  task.rspec_opts = ['--tag ~run_on_browserstack']
  Rake::Task['integration'].invoke # run integration tests
  Rake::Task['unit'].invoke # run unit tests
  Rake::Task['msf'].invoke # run msf tests
 end
-desc "Run automated tests (for Jenkins)"
+RSpec::Core::RakeTask.new(:long_only) do |task|
-task :automated do
+  task.rspec_opts = ['--tag ~run_on_browserstack', '--tag run_on_long_tests']
  Rake::Task['xserver_start'].invoke
  Rake::Task['all'].invoke
  Rake::Task['xserver_stop'].invoke
 end
-desc "Run integration unit tests"
+################################
-task :integration => ["install"] do
+# Browserstack
-  Rake::Task['beef_start'].invoke
+
-  sh "export DISPLAY=:0; cd test/integration;ruby -W0 ts_integration.rb"
+RSpec::Core::RakeTask.new(:browserstack) do |task|
-  Rake::Task['beef_stop'].invoke
+  task.rspec_opts = ['--tag run_on_browserstack']
 end
-desc "Run integration unit tests"
+RSpec::Core::RakeTask.new(:bs) do |task|
-task :unit => ["install"] do
+  configs = Dir["spec/support/browserstack/**/*.yml"]
-  sh "cd test/unit;ruby -W0 ts_unit.rb"
+  configs.each do |config|
-end
+    config = config.split('spec/support/browserstack')[1]
-
+    ENV['CONFIG_FILE'] = config
-desc "Run MSF unit tests"
+    puts "\e[45m#{config.upcase}\e[0m"
-task :msf => ["install", "msf_install"] do
+    task.rspec_opts = ['--tag run_on_browserstack']
-  Rake::Task['msf_update'].invoke
+    Rake::Task['browserstack'].invoke
-  Rake::Task['msf_start'].invoke
+    Rake::Task['browserstack'].reenable
-  sh "cd test/thirdparty/msf/unit/;ruby -W0 ts_metasploit.rb"
+  end
  Rake::Task['msf_stop'].invoke
 end
 desc 'Generate API documentation to doc/rdocs/index.html'
 task :rdoc do
  Rake::Task['rdoc:rerdoc'].invoke
 end
 desc 'rest test examples'
 task :rest_test do
  Rake::Task['beef_start'].invoke
  sh 'cd test/api/; ruby -W2 1333_auth_rate.rb'
  Rake::Task['beef_stop'].invoke
 end
 ################################
@@ -77,7 +54,7 @@ namespace :ssl do
    end
    Rake::Task['ssl:replace'].invoke
  end
-
+  
  desc 'Re-generate SSL certificate'
  task :replace do
    if File.file?('/usr/local/bin/openssl')
@@ -92,6 +69,14 @@ namespace :ssl do
  end
 end
 ################################
 # Generate API documentation
 desc 'Generate API documentation to doc/rdocs/index.html'
 task :rdoc do
  Rake::Task['rdoc:rerdoc'].invoke
 end
 ################################
 # rdoc
@@ -110,15 +95,6 @@ namespace :rdoc do
  end
 end
 ################################
 # Install
 #task :install do
 #  sh "export BEEF_TEST=true"
 #end
 ################################
 # X11 set up
@@ -146,17 +122,16 @@ end
@beef_process_id = nil;
@beef_config_file = 'tmp/rk_beef_conf.yaml';
 task :beef_start => 'beef' do
  # read environment param for creds or use bad_fred
  test_user = ENV['TEST_BEEF_USER'] || 'bad_fred'
  test_pass = ENV['TEST_BEEF_PASS'] || 'bad_fred_no_access'
  # write a rake config file for beef
-  config = YAML.load(File.read('./config.yaml'))
+  config = YAML.safe_load(File.read('./config.yaml'))
  config['beef']['credentials']['user'] = test_user
  config['beef']['credentials']['passwd'] = test_pass
-  Dir.mkdir('tmp') unless Dir.exists?('tmp')
+  Dir.mkdir('tmp') unless Dir.exist?('tmp')
  File.open(@beef_config_file, 'w') { |f| YAML.dump(config, f) }
  # set the environment creds -- in case we're using bad_fred
@@ -221,60 +196,10 @@ file '/tmp/msf-test/msfconsole' do
  sh "cd test;git clone https://github.com/rapid7/metasploit-framework.git /tmp/msf-test"
 end
 ################################
-# Create Mac DMG File
+# ActiveRecord
-
+namespace :db do
-task :dmg do
+  task :environment do
-  puts "\nCreating Working Directory\n";
+    require_relative "beef"
  sh "mkdir dmg";
  sh "mkdir dmg/BeEF";
  sh "rsync * dmg/BeEF --exclude=dmg -r";
  sh "ln -s /Applications dmg/";
  puts "\nCreating DMG File\n"
  sh "hdiutil create ./BeEF.dmg -srcfolder dmg -volname BeEF -ov";
  puts "\nCleaning Up\n"
  sh "rm -r dmg";
  puts "\nBeEF.dmg created\n"
 end
 ################################
 # Create CDE Package
 # This will download and make the CDE Executable and
 # gnereate a CDE Package in cde-package
 task :cde do
  puts "\nCloning and Making CDE...";
  sh "git clone git://github.com/pgbovine/CDE.git";
  Dir.chdir "CDE";
  sh "make";
  Dir.chdir "..";
  puts "\nCreating CDE Package...\n";
  sh "bundle install"
  Rake::Task['cde_beef_start'].invoke
  Rake::Task['beef_stop'].invoke
  puts "\nCleaning Up...\n";
  sleep (2);
  sh "rm -rf CDE";
  puts "\nCDE Package Created...\n";
 end
 ################################
 # CDE/BeEF environment set up
@beef_process_id = nil;
 task :cde_beef_start => 'beef' do
  printf "Starting CDE BeEF (wait 10 seconds)..."
  @beef_process_id = IO.popen("./CDE/cde ruby beef -x 2> /dev/null", "w+")
  delays = [2, 2, 1, 1, 1, 0.5, 0.5, 0.5, 0.3, 0.2, 0.1, 0.1, 0.1, 0.05, 0.05]
  delays.each do |i| # delay for 10 seconds
    printf '.'
    sleep (i)
  end
  puts '.'
 end
 ################################
--- a/6
+++ b/6
@@ -1,7 +1,7 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
-0.4.7.3-alpha
+0.6.0.0
--- a/_config.yml
+++ b/_config.yml
@@ -0,0 +1 @@
 theme: jekyll-theme-minimal
--- a/arerules/alert.json
+++ b/arerules/alert.json
@@ -1,9 +1,5 @@
 {"name": "Display an alert",
  "author": "mgeeky",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "alert_dialog",
      "condition": null,
--- a/arerules/coinhive_miner.json
+++ b/arerules/coinhive_miner.json
@@ -1,20 +0,0 @@
 {"name": "Start CoinHive JavaScript miner",
  "author": "bcoles",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "coinhive_miner",
      "condition": null,
      "options": {
        "public_token":"Ofh5MIvjuCBDqwJ9TCTio7TYko0ig5TV",
        "mode":"FORCE_EXCLUSIVE_TAB",
        "mobile_enabled":""
      }
    }
  ],
  "execution_order": [0],
  "execution_delay": [0],
  "chain_mode": "sequential"
 }
--- a/arerules/confirm_close_tab.json
+++ b/arerules/confirm_close_tab.json
@@ -1,9 +1,5 @@
 {"name": "Confirm Close Tab",
  "author": "mgeeky",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "confirm_close_tab",
      "condition": null,
--- a/arerules/ff_osx_extension-dropper.json
+++ b/arerules/ff_osx_extension-dropper.json
@@ -2,7 +2,6 @@
  "name": "Firefox Extension Dropper",
  "author": "antisnatchor",
  "browser": "FF",
  "browser_version": "ALL",
  "os": "OSX",
  "os_version": ">= 10.8",
  "modules": [{
@@ -17,4 +16,4 @@
  "execution_order": [0],
  "execution_delay": [0],
  "chain_mode": "sequential"
-}
+}
--- a/arerules/get_cookie.json
+++ b/arerules/get_cookie.json
@@ -1,10 +1,6 @@
 {
  "name": "Get Cookie",
  "author": "@benichmt1",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_cookie",
      "condition": null,
--- a/arerules/ie_win_htapowershell.json
+++ b/arerules/ie_win_htapowershell.json
@@ -2,7 +2,6 @@
  "name": "HTA PowerShell",
  "author": "antisnatchor",
  "browser": "IE",
  "browser_version": "ALL",
  "os": "Windows",
  "os_version": ">= 7",
  "modules": [
--- a/arerules/lan_cors_scan.json
+++ b/arerules/lan_cors_scan.json
@@ -1,9 +1,6 @@
 {"name": "LAN CORS Scan",
  "author": "bcoles",
  "browser": ["FF", "C"],
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
--- a/arerules/lan_cors_scan_common.json
+++ b/arerules/lan_cors_scan_common.json
@@ -1,9 +1,5 @@
 {"name": "LAN CORS Scan (Common IPs)",
  "author": "bcoles",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "cross_origin_scanner_cors",
      "condition": null,
--- a/arerules/lan_fingerprint.json
+++ b/arerules/lan_fingerprint.json
@@ -1,9 +1,6 @@
 {"name": "LAN Fingerprint",
  "author": "bcoles",
  "browser": ["FF", "C"],
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
--- a/arerules/lan_fingerprint_common.json
+++ b/arerules/lan_fingerprint_common.json
@@ -1,9 +1,5 @@
 {"name": "LAN Fingerprint (Common IPs)",
  "author": "antisnatchor",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "internal_network_fingerprinting",
      "condition": null,
--- a/arerules/lan_flash_scan.json
+++ b/arerules/lan_flash_scan.json
@@ -1,9 +1,6 @@
 {"name": "LAN Flash Scan",
  "author": "bcoles",
  "browser": ["FF", "C"],
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
--- a/arerules/lan_flash_scan_common.json
+++ b/arerules/lan_flash_scan_common.json
@@ -1,9 +1,6 @@
 {"name": "LAN Flash Scan (Common IPs)",
  "author": "bcoles",
  "browser": ["FF", "C"],
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "cross_origin_scanner_flash",
      "condition": null,
--- a/arerules/lan_http_scan.json
+++ b/arerules/lan_http_scan.json
@@ -1,9 +1,6 @@
 {"name": "LAN HTTP Scan",
  "author": "bcoles",
  "browser": ["FF", "C"],
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
--- a/arerules/lan_http_scan_common.json
+++ b/arerules/lan_http_scan_common.json
@@ -1,9 +1,5 @@
 {"name": "LAN HTTP Scan (Common IPs)",
  "author": "bcoles",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_http_servers",
      "condition": null,
--- a/arerules/lan_ping_sweep.json
+++ b/arerules/lan_ping_sweep.json
@@ -1,9 +1,6 @@
 {"name": "LAN Ping Sweep",
  "author": "bcoles",
  "browser": "FF",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
--- a/arerules/lan_ping_sweep_common.json
+++ b/arerules/lan_ping_sweep_common.json
@@ -1,9 +1,6 @@
 {"name": "LAN Ping Sweep (Common IPs)",
  "author": "bcoles",
  "browser": "FF",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "ping_sweep",
      "condition": null,
--- a/arerules/lan_port_scan.json
+++ b/arerules/lan_port_scan.json
@@ -0,0 +1,25 @@
 {"name": "LAN Port Scan",
  "author": "aburro & aussieklutz",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
      "code": null,
      "options": {}
    },
    {"name": "port_scanner",
      "condition": "status==1",
      "code": "var s=get_internal_ip_webrtc_mod_output.split('.');var start = s[0]+'.'+s[1]+'.'+s[2]+'.'+s[3]; var mod_input = start;",
      "options": {
        "ipHost":"<<mod_input>>",
        "ports":"80,8080",
        "closetimeout":"1100",
        "opentimeout":"2500",
        "delay":"600",
        "debug":"false"
      }
    }
  ],
  "execution_order": [0, 1],
  "execution_delay": [0, 0],
  "chain_mode": "nested-forward"
 }
--- a/arerules/lan_sw_port_scan.json
+++ b/arerules/lan_sw_port_scan.json
@@ -0,0 +1,21 @@
 {"name": "LAN SW Port Scan",
  "author": "aburro & aussieklutz",
  "modules": [
    {"name": "get_internal_ip_webrtc",
      "condition": null,
      "code": null,
      "options": {}
    },
    {"name": "sw_port_scanner",
      "condition": "status==1",
      "code": "var s=get_internal_ip_webrtc_mod_output.split('.');var start = s[0]+'.'+s[1]+'.'+s[2]+'.'+s[3]; var mod_input = start;",
      "options": {
        "ipHost":"192.168.1.10",
        "ports":"80,8080"
      }
    }
  ],
  "execution_order": [0, 1],
  "execution_delay": [0, 0],
  "chain_mode": "nested-forward"
 }
--- a/arerules/man_in_the_browser.json
+++ b/arerules/man_in_the_browser.json
@@ -1,9 +1,5 @@
 {"name": "Perform Man-In-The-Browser",
  "author": "mgeeky",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "man_in_the_browser",
      "condition": null,
--- a/arerules/raw_javascript.json
+++ b/arerules/raw_javascript.json
@@ -1,10 +1,6 @@
 {
  "name": "Raw JavaScript",
  "author": "wade@bindshell.net",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "raw_javascript",
      "condition": null,
--- a/arerules/record_snapshots.json
+++ b/arerules/record_snapshots.json
@@ -1,9 +1,5 @@
 {"name": "Collects multiple snapshots of the webpage within Same-Origin",
  "author": "mgeeky",
  "browser": ["FF", "C", "O", "IE", "S"],
  "browser_version": "ALL",
  "os": "ALL",
  "os_version": "ALL",
  "modules": [
    {"name": "spyder_eye",
      "condition": null,
--- a/arerules/win_fake_malware.json
+++ b/arerules/win_fake_malware.json
@@ -2,10 +2,7 @@
 {
  "name": "Windows Fake Malware",
  "author": "bcoles",
  "browser": "ALL",
  "browser_version": "ALL",
  "os": "Windows",
  "os_version": "ALL",
  "modules": [
    {
      "name": "blockui",
--- a/124
+++ b/124
@@ -1,8 +1,8 @@
 #!/usr/bin/env ruby
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
@@ -12,11 +12,12 @@
 $VERBOSE = nil
 #
-# @note Version check to ensure BeEF is running Ruby 2.4+
+# @note Version check to ensure BeEF is running Ruby 3.0+
 #
-if RUBY_VERSION < '2.4'
+min_ruby_version = '3.0'
 if RUBY_VERSION < min_ruby_version
  puts
-  puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version 2.4 or later."
+  puts "Ruby version #{RUBY_VERSION} is no longer supported. Please upgrade to Ruby version #{min_ruby_version} or later."
  puts
  exit 1
 end
@@ -42,6 +43,28 @@ $home_dir = File.expand_path("#{Dir.home}/.beef/", __FILE__).freeze
 # @note Require core loader
 #
 require 'core/loader'
 require 'timeout'
 #
 # @note Ask user if they would like to update beef
 #
 if File.exist?("#{$root_dir}git") && BeEF::Core::Console::CommandLine.parse[:update_disabled] == false
  if BeEF::Core::Console::CommandLine.parse[:update_auto] == true
    print 'Checking latest BeEF repository and updating'
    `git pull && bundle`
  elsif `git rev-parse master` != `git rev-parse origin/master`
    begin
      Timeout.timeout(5) do
        puts '-- BeEF Update Available --'
        print 'Would you like to update to lastest version? y/n: '
        response = gets
        `git pull && bundle` if response&.strip == 'y'
      end
    rescue Timeout::Error
      puts "\nUpdate Skipped with input timeout"
    end
  end
 end
 #
 # @note Create ~/.beef/
@@ -109,21 +132,13 @@ end
 #
 # @note Validate beef.http.public and beef.http.public_port
 #
-unless config.get('beef.http.public').to_s.eql?('') || BeEF::Filters.is_valid_hostname?(config.get('beef.http.public'))
+unless config.get('beef.http.public.host').to_s.eql?('') || BeEF::Filters.is_valid_hostname?(config.get('beef.http.public.host'))
-  print_error "ERROR: Invalid public hostname: #{config.get('beef.http.public')}"
+  print_error "ERROR: Invalid public hostname: #{config.get('beef.http.public.host')}"
  exit 1
 end
-unless config.get('beef.http.public_port').to_s.eql?('') || BeEF::Filters.is_valid_port?(config.get('beef.http.public_port'))
+unless config.get('beef.http.public.port').to_s.eql?('') || BeEF::Filters.is_valid_port?(config.get('beef.http.public.port'))
-  print_error "ERROR: Invalid public port: #{config.get('beef.http.public_port')}"
+  print_error "ERROR: Invalid public port: #{config.get('beef.http.public.port')}"
  exit 1
 end
 #
 # @note Validate database driver
 #
 unless ['sqlite', 'postgres', 'mysql'].include? config.get('beef.database.driver')
  print_error 'No default database selected. Please add one in config.yaml'
  exit 1
 end
@@ -160,43 +175,38 @@ BeEF::Modules.load
 Socket.do_not_reverse_lookup = true
 #
-# @note Database setup - use DataMapper::Logger.new($stdout, :debug) for development debugging
+# @note Database setup
 #
 case config.get("beef.database.driver")
  when "sqlite"
    DataMapper.setup(:default, "sqlite3://#{$root_dir}/#{config.get("beef.database.db_file")}")
  when "mysql", "postgres"
    DataMapper.setup(:default,
                     :adapter => config.get("beef.database.driver"),
                     :host => config.get("beef.database.db_host"),
                     :port => config.get("beef.database.db_port"),
                     :username => config.get("beef.database.db_user"),
                     :password => config.get("beef.database.db_passwd"),
                     :database => config.get("beef.database.db_name"),
                     :encoding => config.get("beef.database.db_encoding")
    )
  else
    print_error 'No default database selected. Please add one in config.yaml'
    exit 1
 end
 #
 # @note Load the database
 #
-begin
+db_file = config.get('beef.database.file')
-  # @note Resets the database if the -x flag was passed
+# @note Resets the database if the -x flag was passed
-  if BeEF::Core::Console::CommandLine.parse[:resetdb]
+if BeEF::Core::Console::CommandLine.parse[:resetdb]
-    print_info 'Resetting the database for BeEF.'
+  print_info 'Resetting the database for BeEF.'
-    DataMapper.auto_migrate!
+  begin
-  else
+    File.delete(db_file) if File.exist?(db_file)
-    DataMapper.auto_upgrade!
+  rescue => e
    print_error("Could not remove '#{db_file}' database file: #{e.message}")
    exit(1)
  end
-rescue => e
+end
-  print_error "Could not connect to database: #{e.message}"
+
-  if config.get("beef.database.driver") == 'sqlite'
+# Connect to DB
-    print_error "Ensure the #{$root_dir}/#{config.get("beef.database.db_file")} database file is writable"
+ActiveRecord::Base.logger = nil
-  end
+OTR::ActiveRecord.configure_from_hash!(adapter:'sqlite3', database:db_file)
-  exit 1
+# otr-activerecord require you to manually establish the connection with the following line
 #Also a check to confirm that the correct Gem version is installed to require it, likely easier for old systems.
 if Gem.loaded_specs['otr-activerecord'].version > Gem::Version.create('1.4.2')
  OTR::ActiveRecord.establish_connection!
 end
 # Migrate (if required)
 ActiveRecord::Migration.verbose = false # silence activerecord migration stdout messages
 ActiveRecord::Migrator.migrations_paths = [File.join('core', 'main', 'ar-migrations')]
 context = ActiveRecord::MigrationContext.new(ActiveRecord::Migrator.migrations_paths)
 if context.needs_migration?
  ActiveRecord::Migrator.new(:up, context.migrations, context.schema_migration, context.internal_metadata).migrate
 end
 #
@@ -207,7 +217,12 @@ print_info 'BeEF is loading. Wait a few seconds...'
 #
 # @note Execute migration procedure, checks for new modules
 #
-BeEF::Core::Migration.instance.update_db!
+begin
  BeEF::Core::Migration.instance.update_db!
 rescue => e
  print_error("Could not update '#{db_file}' database file: #{e.message}")
  exit(1)
 end
 #
 # @note Create HTTP Server and prepare it to run
@@ -215,6 +230,13 @@ BeEF::Core::Migration.instance.update_db!
 http_hook_server = BeEF::Core::Server.instance
 http_hook_server.prepare
 begin
  BeEF::Core::Logger.instance.register('System', 'BeEF server started')
 rescue => e
  print_error("Database connection failed: #{e.message}")
  exit(1)
 end
 #
 # @note Prints information back to the user before running the server
 #
@@ -222,6 +244,8 @@ BeEF::Core::Console::Banners.print_loaded_extensions
 BeEF::Core::Console::Banners.print_loaded_modules
 BeEF::Core::Console::Banners.print_network_interfaces_count
 BeEF::Core::Console::Banners.print_network_interfaces_routes
 BeEF::Core::Console::Banners.print_http_proxy
 BeEF::Core::Console::Banners.print_dns
 #
 # @note Prints the API key needed to use the RESTful API
--- a/conf.json
+++ b/conf.json
@@ -0,0 +1,16 @@
 {
    "source": {
        "include": ["./core/main/client"],
        "includePattern": ".js$"
    },
    "plugins": [
        "plugins/markdown"
    ],
    "opts": {
        "encoding": "utf8",
        "readme": "./README.md",
        "destination": "docs/",
        "recurse": true,
        "verbose": true
    }
 }
--- a/config.yaml
+++ b/config.yaml
@@ -1,12 +1,12 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 # BeEF Configuration file
 beef:
-    version: '0.4.7.3-alpha'
+    version: '0.6.0.0'
    # More verbose messages (server-side)
    debug: false
    # More verbose messages (client-side)
@@ -27,10 +27,12 @@ beef:
        # subnet of IP addresses that can connect to the admin UI
        #permitted_ui_subnet: ["127.0.0.1/32", "::1/128"]
        permitted_ui_subnet: ["0.0.0.0/0", "::/0"]
        # subnet of IP addresses that cannot be hooked by the framework
        excluded_hooking_subnet: []
        # slow API calls to 1 every  api_attempt_delay  seconds
        api_attempt_delay: "0.05"
-    # HTTP server
+    # HTTP server 
    http:
        debug: false #Thin::Logging.debug, very verbose. Prints also full exception stack trace.
        host: "0.0.0.0"
@@ -43,16 +45,24 @@ beef:
        # Enabling WebSockets is generally better (beef.websocket.enable)
        xhr_poll_timeout: 1000
-        # Host Name / Domain Name
+        # Public Domain Name / Reverse Proxy / Port Forwarding
-        # If you want BeEF to be accessible via hostname or domain name (ie, DynDNS),
+        #
-        #   set the public hostname below:
+        # In order for the client-side BeEF JavaScript hook to be able to connect to BeEF,
-        #public: ""      # public hostname/IP address
+        # the hook JavaScript needs to be generated with the correct connect-back details.
        #
        # If you're using a public domain name, reverse proxy, or port forwarding you must
        # configure the public-facing connection details here.
-        # Reverse Proxy / NAT
+        #public:
-        # If you want BeEF to be accessible behind a reverse proxy or NAT,
+        #    host: "beef.local" # public hostname/IP address
-        #   set both the publicly accessible hostname/IP address and port below:
+        #    port: "443" # public port (443 if the public server is using HTTPS)
-        #public: ""      # public hostname/IP address
+        #    https: false # true/false
-        #public_port: "" # public port (experimental)
+
        # If using any reverse proxy you should also set allow_reverse_proxy to true below.
        # Note that this causes the BeEF server to trust the X-Forwarded-For HTTP header.
        # If the BeEF server is directly accessible, clients can spoof their connecting
        # IP address using this header to bypass the IP address permissions/exclusions.
        allow_reverse_proxy: false
        # Hook
        hook_file: "/hook.js"
@@ -72,7 +82,7 @@ beef:
            # NOTE: works only on HTTPS domains and with HTTPS support enabled in BeEF
            secure: true
            secure_port: 61986 # WSSecure
-            ws_poll_timeout: 1000 # poll BeEF every second
+            ws_poll_timeout: 5000 # poll BeEF every x second, this affects how often the browser can have a command execute on it
            ws_connect_timeout: 500 # useful to help fingerprinting finish before establishing the WS channel
        # Imitate a specified web server (default root page, 404 default error page, 'Server' HTTP response header)
@@ -90,28 +100,7 @@ beef:
            cert: "beef_cert.pem"
    database:
-        # For information on using other databases please read the
+        file: "beef.db"
        # README.databases file
        # supported DBs: sqlite, mysql, postgres
        # NOTE: you must change the Gemfile adding a gem require line like:
        #   gem "dm-postgres-adapter"
        # or
        #   gem "dm-mysql-adapter"
        # if you want to switch drivers from sqlite to postgres (or mysql).
        # Finally, run a 'bundle install' command and start BeEF.
        driver: "sqlite"
        # db_file is only used for sqlite
        db_file: "beef.db"
        # db connection information is only used for mysql/postgres
        db_host: "localhost"
        db_port: 3306
        db_name: "beef"
        db_user: "beef"
        db_passwd: "beef"
        db_encoding: "UTF-8"
    # Autorun Rule Engine
    autorun:
@@ -130,17 +119,10 @@ beef:
    dns_hostname_lookup: false
    # IP Geolocation
    # NOTE: requires MaxMind database. Run ./updated-geoipdb to install.
    geoip:
        enable: true
-        database: '/opt/GeoIP/GeoLite2-City.mmdb'
+        # GeoLite2 City database created by MaxMind, available from https://www.maxmind.com
-
+        database: '/usr/share/GeoIP/GeoLite2-City.mmdb'
    # Integration with PhishingFrenzy
    # If enabled BeEF will try to get the UID parameter value from the hooked URI, as this is used by PhishingFrenzy
    # to uniquely identify the victims. In this way you can easily associate phishing emails with hooked browser.
    integration:
        phishing_frenzy:
            enable: false
    # You may override default extension configuration parameters here
    # Note: additional experimental extensions are available in the 'extensions' directory
@@ -164,6 +146,6 @@ beef:
        metasploit:
            enable: false
        social_engineering:
-            enable: true
+            enable: false
        xssrays:
            enable: true
--- a/core/api.rb
+++ b/core/api.rb
@@ -1,12 +1,11 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module API
    #
    # Registrar class to handle all registered timed API calls
    #
@@ -24,26 +23,26 @@ module BeEF
      # Register timed API calls to an owner
      #
      # @param [Class] owner the owner of the API hook
-      # @param [Class] c the API class the owner would like to hook into
+      # @param [Class] clss the API class the owner would like to hook into
      # @param [String] method the method of the class the owner would like to execute
      # @param [Array] params an array of parameters that need to be matched before the owner will be called
      #
-      def register(owner, c, method, params = [])
+      def register(owner, clss, method, params = [])
-        unless verify_api_path(c, method)
+        unless verify_api_path(clss, method)
-          print_error "API Registrar: Attempted to register non-existant API method #{c} :#{method}"
+          print_error "API Registrar: Attempted to register non-existent API method #{clss} :#{method}"
          return
        end
-        if registered?(owner, c, method, params)
+        if registered?(owner, clss, method, params)
-          print_debug "API Registrar: Attempting to re-register API call #{c} :#{method}"
+          print_debug "API Registrar: Attempting to re-register API call #{clss} :#{method}"
          return
        end
        id = @count
        @registry << {
-          'id'     => id,
+          'id' => id,
-          'owner'  => owner,
+          'owner' => owner,
-          'class'  => c,
+          'class' => clss,
          'method' => method,
          'params' => params
        }
@@ -56,18 +55,19 @@ module BeEF
      # Tests whether the owner is registered for an API hook
      #
      # @param [Class] owner the owner of the API hook
-      # @param [Class] c the API class
+      # @param [Class] clss the API class
      # @param [String] method the method of the class
      # @param [Array] params an array of parameters that need to be matched
      #
      # @return [Boolean] whether or not the owner is registered
      #
-      def registered?(owner, c, method, params = [])
+      def registered?(owner, clss, method, params = [])
        @registry.each do |r|
          next unless r['owner'] == owner
-          next unless r['class'] == c
+          next unless r['class'] == clss
          next unless r['method'] == method
          next unless is_matched_params? r, params
          return true
        end
        false
@@ -76,17 +76,18 @@ module BeEF
      #
      # Match a timed API call to determine if an API.fire() is required
      #
-      # @param [Class] c the target API class
+      # @param [Class] clss the target API class
      # @param [String] method the method of the target API class
      # @param [Array] params an array of parameters that need to be matched
      #
      # @return [Boolean] whether or not the arguments match an entry in the API registry
      #
-      def matched?(c, method, params = [])
+      def matched?(clss, method, params = [])
        @registry.each do |r|
-          next unless r['class'] == c
+          next unless r['class'] == clss
          next unless r['method'] == method
          next unless is_matched_params? r, params
          return true
        end
        false
@@ -98,24 +99,25 @@ module BeEF
      # @param [Integer] id the ID of the API hook
      #
      def unregister(id)
-        @registry.delete_if {|r| r['id'] == id }
+        @registry.delete_if { |r| r['id'] == id }
      end
      #
      # Retrieves all the owners and ID's of an API hook
-      # @param [Class] c the target API class
+      # @param [Class] clss the target API class
      # @param [String] method the method of the target API class
      # @param [Array] params an array of parameters that need to be matched
      #
      # @return [Array] an array of hashes consisting of two keys :owner and :id
      #
-      def get_owners(c, method, params = [])
+      def get_owners(clss, method, params = [])
        owners = []
        @registry.each do |r|
-          next unless r['class'] == c
+          next unless r['class'] == clss
          next unless r['method'] == method
          next unless is_matched_params? r, params
-          owners << { :owner => r['owner'], :id => r['id'] }
+
          owners << { owner: r['owner'], id: r['id'] }
        end
        owners
      end
@@ -126,23 +128,23 @@ module BeEF
      #
      # @note This is a security precaution
      #
-      # @param [Class] c the target API class to verify
+      # @param [Class] clss the target API class to verify
-      # @param [String] m the target method to verify
+      # @param [String] mthd the target method to verify
      #
-      def verify_api_path(c, m)
+      def verify_api_path(clss, mthd)
-        (c.const_defined?('API_PATHS') && c.const_get('API_PATHS').key?(m))
+        (clss.const_defined?('API_PATHS') && clss.const_get('API_PATHS').key?(mthd))
      end
      #
      # Retrieves the registered symbol reference for an API hook
      #
-      # @param [Class] c the target API class to verify
+      # @param [Class] clss the target API class to verify
-      # @param [String] m the target method to verify
+      # @param [String] mthd the target method to verify
      #
      # @return [Symbol] the API path
      #
-      def get_api_path(c, m)
+      def get_api_path(clss, mthd)
-        verify_api_path(c, m) ? c.const_get('API_PATHS')[m] : nil
+        verify_api_path(clss, mthd) ? clss.const_get('API_PATHS')[mthd] : nil
      end
      #
@@ -171,36 +173,32 @@ module BeEF
      #
      # Fires all owners registered to this API hook
      #
-      # @param [Class] c the target API class
+      # @param [Class] clss the target API class
-      # @param [String] m the target API method
+      # @param [String] mthd the target API method
      # @param [Array] *args parameters passed for the API call
      #
      # @return [Hash, NilClass] returns either a Hash of :api_id and :data
      #         if the owners return data, otherwise NilClass
      #
-      def fire(c, m, *args)
+      def fire(clss, mthd, *args)
-        mods = get_owners(c, m, args)
+        mods = get_owners(clss, mthd, args)
        return nil unless mods.length.positive?
-        unless verify_api_path(c, m) && c.ancestors[0].to_s > 'BeEF::API'
+        unless verify_api_path(clss, mthd) && clss.ancestors.first.to_s.start_with?('BeEF::API')
-          print_error "API Path not defined for Class: #{c} method:#{method}"
+          print_error "API Path not defined for Class: #{clss} method: #{mthd}"
          return []
        end
        data = []
-        method = get_api_path(c, m)
+        method = get_api_path(clss, mthd)
        mods.each do |mod|
-          begin
+          # Only used for API Development (very verbose)
-            # Only used for API Development (very verbose)
+          # print_info "API: #{mod} fired #{method}"
            # print_info "API: #{mod} fired #{method}"
-            result = mod[:owner].method(method).call(*args)
+          result = mod[:owner].method(method).call(*args)
-            unless result.nil?
+          data << { api_id: mod[:id], data: result } unless result.nil?
-              data << { :api_id => mod[:id], :data => result }
+        rescue StandardError => e
-            end
+          print_error "API Fire Error: #{e.message} in #{mod}.#{method}()"
          rescue => e
            print_error "API Fire Error: #{e.message} in #{mod}.#{method}()"
          end
        end
        data
@@ -214,8 +212,7 @@ require 'core/api/modules'
 require 'core/api/extension'
 require 'core/api/extensions'
 require 'core/api/main/migration'
-require 'core/api/main/network_stack/assethandler.rb'
+require 'core/api/main/network_stack/assethandler'
 require 'core/api/main/server'
 require 'core/api/main/server/hook'
 require 'core/api/main/configuration'
--- a/core/api/extension.rb
+++ b/core/api/extension.rb
@@ -1,20 +1,17 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module API
    module Extension
      attr_reader :full_name, :short_name, :description
      @full_name = ''
      @short_name = ''
      @description = ''
    end
  end
 end
--- a/core/api/extensions.rb
+++ b/core/api/extensions.rb
@@ -1,21 +1,18 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module API
    module Extensions
      # @note Defined API Paths
      API_PATHS = {
-          'post_load' => :post_load
+        'post_load' => :post_load
-      }
+      }.freeze
      # API hook fired after all extensions have been loaded
-      def post_load;
+      def post_load; end
      end
    end
  end
 end
--- a/core/api/main/configuration.rb
+++ b/core/api/main/configuration.rb
@@ -1,22 +1,19 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module API
+  module API
-  module Configuration 
+    module Configuration
-    
+      # @note Defined API Paths
-    # @note Defined API Paths
+      API_PATHS = {
    API_PATHS = {
        'module_configuration_load' => :module_configuration_load
-    }
+      }.freeze
    # Fires just after module configuration is loaded and merged
    # @param [String] mod module key
    def module_configuration_load(mod); end
      # Fires just after module configuration is loaded and merged
      # @param [String] mod module key
      def module_configuration_load(mod); end
    end
  end
 end
 end
--- a/core/api/main/migration.rb
+++ b/core/api/main/migration.rb
@@ -1,21 +1,18 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module API
+  module API
-  module Migration
+    module Migration
-    
+      # @note Defined API Paths
-    # @note Defined API Paths
+      API_PATHS = {
    API_PATHS = {
        'migrate_commands' => :migrate_commands
-    }
+      }.freeze
-    # Fired just after the migration process
+      # Fired just after the migration process
-    def migrate_commands; end
+      def migrate_commands; end
-    
+    end
  end
 end
 end
--- a/core/api/main/network_stack/assethandler.rb
+++ b/core/api/main/network_stack/assethandler.rb
@@ -1,36 +1,34 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module API
+  module API
-module NetworkStack
+    module NetworkStack
-module Handlers
+      module Handlers
-module AssetHandler
+        module AssetHandler
          # Binds a file to be accessible by the hooked browser
          # @param [String] file file to be served
          # @param [String] path URL path to be bound, if no path is specified a randomly generated one will be used
          # @param [String] extension to be used in the URL
          # @param [Integer] count amount of times the file can be accessed before being automatically unbound. (-1 = no limit)
          # @return [String] URL bound to the specified file
          # @todo Add hooked browser parameter to only allow specified hooked browsers access to the bound URL. Waiting on Issue #336
          # @note This is a direct API call and does not have to be registered to be used
          def self.bind(file, path = nil, extension = nil, count = -1)
            BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind(file, path, extension, count)
          end
-    # Binds a file to be accessible by the hooked browser
+          # Unbinds a file made accessible to hooked browsers
-    # @param [String] file file to be served
+          # @param [String] url the bound URL
-    # @param [String] path URL path to be bound, if no path is specified a randomly generated one will be used
+          # @todo Add hooked browser parameter to only unbind specified hooked browsers binds. Waiting on Issue #336
-    # @param [String] extension to be used in the URL
+          # @note This is a direct API call and does not have to be registered to be used
-    # @param [Integer] count amount of times the file can be accessed before being automatically unbound. (-1 = no limit)
+          def self.unbind(url)
-    # @return [String] URL bound to the specified file
+            BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind(url)
-    # @todo Add hooked browser parameter to only allow specified hooked browsers access to the bound URL. Waiting on Issue #336
+          end
-    # @note This is a direct API call and does not have to be registered to be used
+        end
-    def self.bind(file, path=nil, extension=nil, count=-1)
+      end
        return BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind(file, path, extension, count)
    end
-
+  end
    # Unbinds a file made accessible to hooked browsers
    # @param [String] url the bound URL
    # @todo Add hooked browser parameter to only unbind specified hooked browsers binds. Waiting on Issue #336
    # @note This is a direct API call and does not have to be registered to be used
    def self.unbind(url)
        BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind(url)
    end
 end
 end
 end
 end
 end
--- a/core/api/main/server.rb
+++ b/core/api/main/server.rb
@@ -1,43 +1,40 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module API
+  module API
-module Server
+    module Server
-
+      # @note Defined API Paths
-    # @note Defined API Paths
+      API_PATHS = {
    API_PATHS = {
        'mount_handler' => :mount_handler,
        'pre_http_start' => :pre_http_start
-    }
+      }.freeze
    # Fires just before the HTTP Server is started
    # @param [Object] http_hook_server HTTP Server object
    def pre_http_start(http_hook_server); end
    # Fires just after handlers have been mounted
    # @param [Object] server HTTP Server object
    def mount_handler(server); end
    # Mounts a handler
    # @param [String] url URL to be mounted
    # @param [Class] http_handler_class the handler Class
    # @param [Array] args an array of arguments
    # @note This is a direct API call and does not have to be registered to be used
    def self.mount(url, http_handler_class, args = nil)
      BeEF::Core::Server.instance.mount(url, http_handler_class, *args)
    end
-    # Unmounts a handler
+      # Fires just before the HTTP Server is started
-    # @param [String] url URL to be unmounted
+      # @param [Object] http_hook_server HTTP Server object
-    # @note This is a direct API call and does not have to be registered to be used
+      def pre_http_start(http_hook_server); end
-    def self.unmount(url)
+
      # Fires just after handlers have been mounted
      # @param [Object] server HTTP Server object
      def mount_handler(server); end
      # Mounts a handler
      # @param [String] url URL to be mounted
      # @param [Class] http_handler_class the handler Class
      # @param [Array] args an array of arguments
      # @note This is a direct API call and does not have to be registered to be used
      def self.mount(url, http_handler_class, args = nil)
        BeEF::Core::Server.instance.mount(url, http_handler_class, *args)
      end
      # Unmounts a handler
      # @param [String] url URL to be unmounted
      # @note This is a direct API call and does not have to be registered to be used
      def self.unmount(url)
        BeEF::Core::Server.instance.unmount(url)
      end
    end
-
+  end
 end
 end
 end
--- a/core/api/main/server/hook.rb
+++ b/core/api/main/server/hook.rb
@@ -1,24 +1,21 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module API
+  module API
-module Server
+    module Server
-  module Hook 
+      module Hook
        # @note Defined API Paths
        API_PATHS = {
          'pre_hook_send' => :pre_hook_send
        }.freeze
-    # @note Defined API Paths
+        # Fires just before the hook is sent to the hooked browser
-    API_PATHS = {
+        # @param [Class] handler the associated handler Class
-        'pre_hook_send' => :pre_hook_send
+        def pre_hook_send(handler); end
-    }
+      end
-    
+    end
    # Fires just before the hook is sent to the hooked browser
    # @param [Class] handler the associated handler Class
    def pre_hook_send(handler); end
  end
 end
 end
 end
--- a/core/api/module.rb
+++ b/core/api/module.rb
@@ -1,26 +1,24 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module API
    module Command
    end
    module Module
      # @note Defined API Paths
      API_PATHS = {
-          'pre_soft_load' => :pre_soft_load,
+        'pre_soft_load' => :pre_soft_load,
-          'post_soft_load' => :post_soft_load,
+        'post_soft_load' => :post_soft_load,
-          'pre_hard_load' => :pre_hard_load,
+        'pre_hard_load' => :pre_hard_load,
-          'post_hard_load' => :post_hard_load,
+        'post_hard_load' => :post_hard_load,
-          'get_options' => :get_options,
+        'get_options' => :get_options,
-          'get_payload_options' => :get_payload_options,
+        'get_payload_options' => :get_payload_options,
-          'override_execute' => :override_execute
+        'override_execute' => :override_execute
-      }
+      }.freeze
      # Fired before a module soft load
      # @param [String] mod module key of module about to be soft loaded
@@ -54,8 +52,6 @@ module BeEF
      # @return [Hash] a hash of options
      # @note the option hash is merged with all other API hook's returned hash. Hooking this API method prevents the default options being returned.
      def get_payload_options; end
    end
  end
 end
--- a/core/api/modules.rb
+++ b/core/api/modules.rb
@@ -1,22 +1,18 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module API
    module Modules
      # @note Defined API Paths
      API_PATHS = {
-          'post_soft_load' => :post_soft_load
+        'post_soft_load' => :post_soft_load
-      }
+      }.freeze
      # Fires just after all modules are soft loaded
      def post_soft_load; end
    end
  end
 end
--- a/core/bootstrap.rb
+++ b/core/bootstrap.rb
@@ -1,11 +1,10 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Core
  end
 end
@@ -13,10 +12,11 @@ end
 require 'core/main/router/router'
 require 'core/main/router/api'
 ## @note Include http server functions for beef
 require 'core/main/server'
 require 'core/main/handlers/modules/beefjs'
 require 'core/main/handlers/modules/legacybeefjs'
 require 'core/main/handlers/modules/multistagebeefjs'
 require 'core/main/handlers/modules/command'
 require 'core/main/handlers/commands'
 require 'core/main/handlers/hookedbrowsers'
@@ -30,8 +30,6 @@ require 'core/main/network_stack/assethandler'
 require 'core/main/network_stack/api'
 # @note Include the autorun engine
 require 'core/main/autorun_engine/models/rule'
 require 'core/main/autorun_engine/models/execution'
 require 'core/main/autorun_engine/parser'
 require 'core/main/autorun_engine/engine'
 require 'core/main/autorun_engine/rule_loader'
--- a/core/core.rb
+++ b/core/core.rb
@@ -1,15 +1,15 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module Core
+  module Core
-  
+  end
 end
 end
 # @note Includes database models - the order must be consistent otherwise DataMapper goes crazy
 require 'core/main/model'
 require 'core/main/models/commandmodule'
 require 'core/main/models/hookedbrowser'
 require 'core/main/models/log'
@@ -17,6 +17,9 @@ require 'core/main/models/command'
 require 'core/main/models/result'
 require 'core/main/models/optioncache'
 require 'core/main/models/browserdetails'
 require 'core/main/models/rule'
 require 'core/main/models/execution'
 require 'core/main/models/legacybrowseruseragents'
 # @note Include the constants
 require 'core/main/constants/browsers'
@@ -35,4 +38,3 @@ require 'core/main/geoip'
 # @note Include the command line parser and the banner printer
 require 'core/main/console/commandline'
 require 'core/main/console/banners'
--- a/core/extension.rb
+++ b/core/extension.rb
@@ -1,11 +1,10 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Extension
    # Checks to see if extension is set inside the configuration
    # @param [String] ext the extension key
    # @return [Boolean] whether or not the extension exists in BeEF's configuration
@@ -15,9 +14,10 @@ module BeEF
    # Checks to see if extension is enabled in configuration
    # @param [String] ext the extension key
-    # @return [Boolean] whether or not the extension is enabled 
+    # @return [Boolean] whether or not the extension is enabled
    def self.is_enabled(ext)
      return false unless is_present(ext)
      BeEF::Core::Configuration.instance.get("beef.extension.#{ext}.enable") == true
    end
@@ -26,10 +26,11 @@ module BeEF
    # @return [Boolean] whether or not the extension is loaded
    def self.is_loaded(ext)
      return false unless is_enabled(ext)
      BeEF::Core::Configuration.instance.get("beef.extension.#{ext}.loaded") == true
    end
-    # Loads an extension 
+    # Loads an extension
    # @param [String] ext the extension key
    # @return [Boolean] whether or not the extension loaded successfully
    def self.load(ext)
@@ -41,7 +42,7 @@ module BeEF
      end
      print_error "Unable to load extension '#{ext}'"
      false
-    rescue => e
+    rescue StandardError => e
      print_error "Unable to load extension '#{ext}':"
      print_more e.message
    end
--- a/core/extensions.rb
+++ b/core/extensions.rb
@@ -1,32 +1,40 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Extensions
    # Returns configuration of all enabled extensions
    # @return [Array] an array of extension configuration hashes that are enabled
    def self.get_enabled
-      BeEF::Core::Configuration.instance.get('beef.extension').select { |k,v| v['enable'] == true }
+      BeEF::Core::Configuration.instance.get('beef.extension').select { |_k, v| v['enable'] == true }
    rescue StandardError => e
      print_error "Failed to get enabled extensions: #{e.message}"
      print_error e.backtrace
    end
    # Returns configuration of all loaded extensions
    # @return [Array] an array of extension configuration hashes that are loaded
    def self.get_loaded
-      BeEF::Core::Configuration.instance.get('beef.extension').select {|k,v| v['loaded'] == true }
+      BeEF::Core::Configuration.instance.get('beef.extension').select { |_k, v| v['loaded'] == true }
    rescue StandardError => e
      print_error "Failed to get loaded extensions: #{e.message}"
      print_error e.backtrace
    end
    # Load all enabled extensions
    # @note API fire for post_load
    def self.load
      BeEF::Core::Configuration.instance.load_extensions_config
-      self.get_enabled.each { |k,v|
+      get_enabled.each do |k, _v|
        BeEF::Extension.load k
-      }
+      end
      # API post extension load
      BeEF::API::Registrar.instance.fire BeEF::API::Extensions, 'post_load'
    rescue StandardError => e
      print_error "Failed to load extensions: #{e.message}"
      print_error e.backtrace
    end
  end
 end
--- a/core/filters.rb
+++ b/core/filters.rb
@@ -1,11 +1,10 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Filters
  end
 end
--- a/core/filters/base.rb
+++ b/core/filters/base.rb
@@ -1,199 +1,214 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module Filters
+  module Filters
    # Check if the string is not empty and not nil
    #   @param [String] str String for testing
    #   @return [Boolean] Whether the string is not empty
    def self.is_non_empty_string?(str)
      return false if str.nil?
      return false unless str.is_a? String
      return false if str.empty?
-  # Check if the string is not empty and not nil
+      true
-  #   @param [String] str String for testing
+    end
-  #   @return [Boolean] Whether the string is not empty
+
-  def self.is_non_empty_string?(str)
+    # Check if only the characters in 'chars' are in 'str'
-    return false if str.nil?
+    #   @param [String] chars List of characters to match
-    return false unless str.is_a? String
+    #   @param [String] str String for testing
-    return false if str.empty?
+    #   @return [Boolean] Whether or not the only characters in str are specified in chars
-    true
+    def self.only?(chars, str)
      regex = Regexp.new('[^' + chars + ']')
      regex.match(str.encode('UTF-8', invalid: :replace, undef: :replace, replace: '')).nil?
    end
    # Check if one or more characters in 'chars' are in 'str'
    #   @param [String] chars List of characters to match
    #   @param [String] str String for testing
    #   @return [Boolean] Whether one of the characters exists in the string
    def self.exists?(chars, str)
      regex = Regexp.new(chars)
      !regex.match(str.encode('UTF-8', invalid: :replace, undef: :replace, replace: '')).nil?
    end
    # Check for null char
    #   @param [String] str String for testing
    #   @return [Boolean] If the string has a null character
    def self.has_null?(str)
      return false unless is_non_empty_string?(str)
      exists?('\x00', str)
    end
    # Check for non-printable char
    #   @param [String] str String for testing
    #   @return [Boolean] Whether or not the string has non-printable characters
    def self.has_non_printable_char?(str)
      return false unless is_non_empty_string?(str)
      !only?('[:print:]', str)
    end
    # Check if num characters only
    #   @param [String] str String for testing
    #   @return [Boolean] If the string only contains numbers
    def self.nums_only?(str)
      return false unless is_non_empty_string?(str)
      only?('0-9', str)
    end
    # Check if valid float
    #   @param [String] str String for float testing
    #   @return [Boolean] If the string is a valid float
    def self.is_valid_float?(str)
      return false unless is_non_empty_string?(str)
      return false unless only?('0-9\.', str)
      !(str =~ /^\d+\.\d+$/).nil?
    end
    # Check if hex characters only
    #   @param [String] str String for testing
    #   @return [Boolean] If the string only contains hex characters
    def self.hexs_only?(str)
      return false unless is_non_empty_string?(str)
      only?('0123456789ABCDEFabcdef', str)
    end
    # Check if first character is a number
    #   @param [String] String for testing
    #   @return [Boolean] If the first character of the string is a number
    def self.first_char_is_num?(str)
      return false unless is_non_empty_string?(str)
      !(str =~ /^\d.*/).nil?
    end
    # Check for space characters: \t\n\r\f
    #   @param [String] str String for testing
    #   @return [Boolean] If the string has a whitespace character
    def self.has_whitespace_char?(str)
      return false unless is_non_empty_string?(str)
      exists?('\s', str)
    end
    # Check for non word characters: a-zA-Z0-9
    #   @param [String] str String for testing
    #   @return [Boolean] If the string only has alphanums
    def self.alphanums_only?(str)
      return false unless is_non_empty_string?(str)
      only?('a-zA-Z0-9', str)
    end
    # @overload self.is_valid_ip?(ip, version)
    # Checks if the given string is a valid IP address
    #   @param [String] ip string to be tested
    #   @param [Symbol] version IP version (either <code>:ipv4</code> or <code>:ipv6</code>)
    #   @return [Boolean] true if the string is a valid IP address, otherwise false
    #
    # @overload self.is_valid_ip?(ip)
    # Checks if the given string is either a valid IPv4 or IPv6 address
    #   @param [String] ip string to be tested
    #   @return [Boolean] true if the string is a valid IPv4 or IPV6 address, otherwise false
    def self.is_valid_ip?(ip, version = :both)
      return false unless is_non_empty_string?(ip)
      if case version.inspect.downcase
         when /^:ipv4$/
           ip =~ /^((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}
             (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])$/x
         when /^:ipv6$/
           ip =~ /^(([0-9a-f]{1,4}:){7,7}[0-9a-f]{1,4}|
             ([0-9a-f]{1,4}:){1,7}:|
             ([0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|
             ([0-9a-f]{1,4}:){1,5}(:[0-9a-f]{1,4}){1,2}|
             ([0-9a-f]{1,4}:){1,4}(:[0-9a-f]{1,4}){1,3}|
             ([0-9a-f]{1,4}:){1,3}(:[0-9a-f]{1,4}){1,4}|
             ([0-9a-f]{1,4}:){1,2}(:[0-9a-f]{1,4}){1,5}|
             [0-9a-f]{1,4}:((:[0-9a-f]{1,4}){1,6})|
             :((:[0-9a-f]{1,4}){1,7}|:)|
             fe80:(:[0-9a-f]{0,4}){0,4}%[0-9a-z]{1,}|
             ::(ffff(:0{1,4}){0,1}:){0,1}
             ((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}
             (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|
             ([0-9a-f]{1,4}:){1,4}:
             ((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}
             (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/ix
         when /^:both$/
           is_valid_ip?(ip, :ipv4) || is_valid_ip?(ip, :ipv6)
         end
        true
      else
        false
      end
    end
    # Checks if the given string is a valid private IP address
    #   @param [String] ip string for testing
    #   @return [Boolean] true if the string is a valid private IP address, otherwise false
    # @note Includes RFC1918 private IPv4, private IPv6, and localhost 127.0.0.0/8, but does not include local-link addresses.
    def self.is_valid_private_ip?(ip)
      return false unless is_valid_ip?(ip)
      ip =~ /\A(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])\z/ ? true : false
    end
    # Checks if the given string is a valid TCP port
    #   @param [String] port string for testing
    #   @return [Boolean] true if the string is a valid TCP port, otherwise false
    def self.is_valid_port?(port)
      valid = false
      valid = true if port.to_i > 0 && port.to_i < 2**16
      valid
    end
    # Checks if string is a valid domain name
    #   @param [String] domain string for testing
    #   @return [Boolean] If the string is a valid domain name
    # @note Only validates the string format. It does not check for a valid TLD since ICANN's list of TLD's is not static.
    def self.is_valid_domain?(domain)
      return false unless is_non_empty_string?(domain)
      return true if domain =~ /^[0-9a-z-]+(\.[0-9a-z-]+)*(\.[a-z]{2,}).?$/i
      false
    end
    # Check for valid browser details characters
    #   @param [String] str String for testing
    #   @return [Boolean] If the string has valid browser details characters
    # @note This function passes the \302\256 character which translates to the registered symbol (r)
    def self.has_valid_browser_details_chars?(str)
      return false unless is_non_empty_string?(str)
      !(str =~ %r{[^\w\d\s()-.,;:_/!\302\256]}).nil?
    end
    # Check for valid base details characters
    #   @param [String] str String for testing
    #   @return [Boolean] If the string has only valid base characters
    # @note This is for basic filtering where possible all specific filters must be implemented
    # @note This function passes the \302\256 character which translates to the registered symbol (r)
    def self.has_valid_base_chars?(str)
      return false unless is_non_empty_string?(str)
      (str =~ /[^\302\256[:print:]]/).nil?
    end
    # Verify the yes and no is valid
    #   @param [String] str String for testing
    #   @return [Boolean] If the string is either 'yes' or 'no'
    def self.is_valid_yes_no?(str)
      return false if has_non_printable_char?(str)
      return false if str !~ /\A(Yes|No)\z/i
      true
    end
  end
  # Check if only the characters in 'chars' are in 'str'
  #   @param [String] chars List of characters to match
  #   @param [String] str String for testing
  #   @return [Boolean] Whether or not the only characters in str are specified in chars
  def self.only?(chars, str)
    regex = Regexp.new('[^' + chars + ']')
    regex.match(str.encode('UTF-8', invalid: :replace, undef: :replace, replace: '')).nil?
  end
  # Check if one or more characters in 'chars' are in 'str'
  #   @param [String] chars List of characters to match
  #   @param [String] str String for testing
  #   @return [Boolean] Whether one of the characters exists in the string
  def self.exists?(chars, str)
    regex = Regexp.new(chars)
    not regex.match(str.encode('UTF-8', invalid: :replace, undef: :replace, replace: '')).nil?
  end
  # Check for null char
  #   @param [String] str String for testing
  #   @return [Boolean] If the string has a null character
  def self.has_null? (str)
    return false unless is_non_empty_string?(str)
    exists?('\x00', str)
  end
  # Check for non-printable char
  #   @param [String] str String for testing
  #   @return [Boolean] Whether or not the string has non-printable characters
  def self.has_non_printable_char?(str)
    return false unless is_non_empty_string?(str)
    not only?('[:print:]', str)
  end
  # Check if num characters only
  #   @param [String] str String for testing
  #   @return [Boolean] If the string only contains numbers
  def self.nums_only?(str)
    return false unless is_non_empty_string?(str)
    only?('0-9', str)
  end
  # Check if valid float
  #   @param [String] str String for float testing
  #   @return [Boolean] If the string is a valid float
  def self.is_valid_float?(str)
    return false unless is_non_empty_string?(str)
    return false unless only?('0-9\.', str)
    not (str =~ /^[\d]+\.[\d]+$/).nil?
  end
  # Check if hex characters only
  #   @param [String] str String for testing
  #   @return [Boolean] If the string only contains hex characters
  def self.hexs_only?(str)
    return false unless is_non_empty_string?(str)
    only?('0123456789ABCDEFabcdef', str)
  end
  # Check if first character is a number
  #   @param [String] String for testing
  #   @return [Boolean] If the first character of the string is a number
  def self.first_char_is_num?(str)
    return false unless is_non_empty_string?(str)
    not (str =~ /^\d.*/).nil?
  end
  # Check for space characters: \t\n\r\f
  #   @param [String] str String for testing
  #   @return [Boolean] If the string has a whitespace character
  def self.has_whitespace_char?(str)
    return false unless is_non_empty_string?(str)
    exists?('\s', str)
  end
  # Check for non word characters: a-zA-Z0-9
  #   @param [String] str String for testing
  #   @return [Boolean] If the string only has alphanums
  def self.alphanums_only?(str)
    return false unless is_non_empty_string?(str)
    only?("a-zA-Z0-9", str)
  end
  # @overload self.is_valid_ip?(ip, version)
  # Checks if the given string is a valid IP address
  #   @param [String] ip string to be tested
  #   @param [Symbol] version IP version (either <code>:ipv4</code> or <code>:ipv6</code>)
  #   @return [Boolean] true if the string is a valid IP address, otherwise false
  #
  # @overload self.is_valid_ip?(ip)
  # Checks if the given string is either a valid IPv4 or IPv6 address
  #   @param [String] ip string to be tested
  #   @return [Boolean] true if the string is a valid IPv4 or IPV6 address, otherwise false
  def self.is_valid_ip?(ip, version = :both)
    return false unless is_non_empty_string?(ip)
    valid = case version.inspect.downcase
      when /^:ipv4$/
        ip =~ /^((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}
          (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])$/x
      when /^:ipv6$/
        ip =~ /^(([0-9a-f]{1,4}:){7,7}[0-9a-f]{1,4}|
          ([0-9a-f]{1,4}:){1,7}:|
          ([0-9a-f]{1,4}:){1,6}:[0-9a-f]{1,4}|
          ([0-9a-f]{1,4}:){1,5}(:[0-9a-f]{1,4}){1,2}|
          ([0-9a-f]{1,4}:){1,4}(:[0-9a-f]{1,4}){1,3}|
          ([0-9a-f]{1,4}:){1,3}(:[0-9a-f]{1,4}){1,4}|
          ([0-9a-f]{1,4}:){1,2}(:[0-9a-f]{1,4}){1,5}|
          [0-9a-f]{1,4}:((:[0-9a-f]{1,4}){1,6})|
          :((:[0-9a-f]{1,4}){1,7}|:)|
          fe80:(:[0-9a-f]{0,4}){0,4}%[0-9a-z]{1,}|
          ::(ffff(:0{1,4}){0,1}:){0,1}
          ((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}
          (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|
          ([0-9a-f]{1,4}:){1,4}:
          ((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}
          (25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$/ix
      when /^:both$/
        is_valid_ip?(ip, :ipv4) || is_valid_ip?(ip, :ipv6)
    end ? true : false
    valid
  end
  # Checks if the given string is a valid private IP address
  #   @param [String] ip string for testing
  #   @return [Boolean] true if the string is a valid private IP address, otherwise false
  # @note Includes RFC1918 private IPv4, private IPv6, and localhost 127.0.0.0/8, but does not include local-link addresses.
  def self.is_valid_private_ip?(ip)
    return false unless is_valid_ip?(ip)
    return ip =~ /\A(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])\z/ ? true : false
  end
  # Checks if the given string is a valid TCP port
  #   @param [String] port string for testing
  #   @return [Boolean] true if the string is a valid TCP port, otherwise false
  def self.is_valid_port?(port)
    valid = false
    valid = true if port.to_i > 0 && port.to_i < 2**16
    valid
  end
  # Checks if string is a valid domain name
  #   @param [String] domain string for testing
  #   @return [Boolean] If the string is a valid domain name
  # @note Only validates the string format. It does not check for a valid TLD since ICANN's list of TLD's is not static.
  def self.is_valid_domain?(domain)
    return false unless is_non_empty_string?(domain)
    return true if domain =~ /^[0-9a-z-]+(\.[0-9a-z-]+)*(\.[a-z]{2,}).?$/i
    false
  end
  # Check for valid browser details characters
  #   @param [String] str String for testing
  #   @return [Boolean] If the string has valid browser details characters
  # @note This function passes the \302\256 character which translates to the registered symbol (r)
  def self.has_valid_browser_details_chars?(str)
    return false unless is_non_empty_string?(str)
    not (str =~ /[^\w\d\s()-.,;:_\/!\302\256]/).nil?  
  end  
  # Check for valid base details characters
  #   @param [String] str String for testing
  #   @return [Boolean] If the string has only valid base characters
  # @note This is for basic filtering where possible all specific filters must be implemented
  # @note This function passes the \302\256 character which translates to the registered symbol (r)
  def self.has_valid_base_chars?(str)
    return false unless is_non_empty_string?(str)
    (str =~ /[^\302\256[:print:]]/).nil? 
  end  
  # Verify the yes and no is valid
  #   @param [String] str String for testing
  #   @return [Boolean] If the string is either 'yes' or 'no'
  def self.is_valid_yes_no?(str)
    return false if has_non_printable_char?(str)
    return false if str !~ /\A(Yes|No)\z/i
    true
  end
 end
 end
--- a/core/filters/browser.rb
+++ b/core/filters/browser.rb
@@ -1,151 +1,162 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module Filters
+  module Filters
    # Check the browser type value - for example, 'FF'
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid browser name characters
    def self.is_valid_browsername?(str)
      return false unless is_non_empty_string?(str)
      return false if str.length > 2
      return false if has_non_printable_char?(str)
-  # Check the browser type value - for example, 'FF'
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid browser name characters
  def self.is_valid_browsername?(str)
    return false unless is_non_empty_string?(str)
    return false if str.length > 2
    return false if has_non_printable_char?(str)
    true
  end
-  # Check the Operating System name value - for example, 'Windows XP'
+    # Check the Operating System name value - for example, 'Windows XP'
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid Operating System name characters
+    # @return [Boolean] If the string has valid Operating System name characters
-  def self.is_valid_osname?(str)
+    def self.is_valid_osname?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false if has_non_printable_char?(str)
+      return false if has_non_printable_char?(str)
-    return false if str.length < 2
+      return false if str.length < 2
    true
  end
-  # Check the Hardware name value - for example, 'iPhone'
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid Hardware name characters
  def self.is_valid_hwname?(str)
    return false unless is_non_empty_string?(str)
    return false if has_non_printable_char?(str)
    return false if str.length < 2
    true
  end
-  # Verify the browser version string is valid
+    # Check the Hardware name value - for example, 'iPhone'
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid browser version characters
+    # @return [Boolean] If the string has valid Hardware name characters
-  def self.is_valid_browserversion?(str)
+    def self.is_valid_hwname?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false if has_non_printable_char?(str)
+      return false if has_non_printable_char?(str)
-    return true if str.eql? "UNKNOWN"
+      return false if str.length < 2
    return true if str.eql? "ALL"
    return false if not nums_only?(str) and not is_valid_float?(str)  
    return false if str.length > 20
    true
  end
-  # Verify the os version string is valid
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid os version characters
  def self.is_valid_osversion?(str)
    return false unless is_non_empty_string?(str)
    return false if has_non_printable_char?(str)
    return true if str.eql? "UNKNOWN"
    return true if str.eql? "ALL"
    return false unless BeEF::Filters::only?("a-zA-Z0-9.<=> ", str)
    return false if str.length > 20
    true
  end
-  # Verify the browser/UA string is valid
+    # Verify the browser version string is valid
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid browser / ua string characters
+    # @return [Boolean] If the string has valid browser version characters
-  def self.is_valid_browserstring?(str)
+    def self.is_valid_browserversion?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false if has_non_printable_char?(str)
+      return false if has_non_printable_char?(str)
-    return false if str.length > 300      
+      return true if str.eql? 'UNKNOWN'
-    true
+      return true if str.eql? 'ALL'
-  end
+      return false if !nums_only?(str) and !str.match(/\A(0|[1-9][0-9]{0,3})(\.(0|[1-9][0-9]{0,3})){0,3}\z/)
-  
+      return false if str.length > 20
  # Verify the cookies are valid
  # @param [String] str String for testing
  # @return [Boolean] If the string has valid cookie characters
  def self.is_valid_cookies?(str)
    return false unless is_non_empty_string?(str)
    return false if has_non_printable_char?(str)
    return false if str.length > 2000
    true
  end
-  # Verify the system platform is valid
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid system platform characters
  def self.is_valid_system_platform?(str)
    return false unless is_non_empty_string?(str)
    return false if has_non_printable_char?(str)
    return false if str.length > 200
    true
  end
-  # Verify the date stamp is valid
+    # Verify the os version string is valid
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid date stamp characters
+    # @return [Boolean] If the string has valid os version characters
-  def self.is_valid_date_stamp?(str)
+    def self.is_valid_osversion?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false if has_non_printable_char?(str)
+      return false if has_non_printable_char?(str)
-    return false if str.length > 200
+      return true if str.eql? 'UNKNOWN'
-    true
+      return true if str.eql? 'ALL'
-  end
+      return false unless BeEF::Filters.only?('a-zA-Z0-9.<=> ', str)
      return false if str.length > 20
-  # Verify the CPU type string is valid
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid CPU type characters
  def self.is_valid_cpu?(str)
    return false unless is_non_empty_string?(str)
    return false if has_non_printable_char?(str)
    return false if str.length > 200
    true
  end
-  # Verify the memory string is valid
+    # Verify the browser/UA string is valid
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid memory type characters
+    # @return [Boolean] If the string has valid browser / ua string characters
-  def self.is_valid_memory?(str)
+    def self.is_valid_browserstring?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false if has_non_printable_char?(str)
+      return false if has_non_printable_char?(str)
-    return false if str.length > 200
+      return false if str.length > 300
    true
  end
-  # Verify the GPU type string is valid
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid GPU type characters
  def self.is_valid_gpu?(str)
    return false unless is_non_empty_string?(str)
    return false if has_non_printable_char?(str)
    return false if str.length > 200
    true
  end
-  # Verify the browser_plugins string is valid
+    # Verify the cookies are valid
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid browser plugin characters
+    # @return [Boolean] If the string has valid cookie characters
-  # @note This string can be empty if there are no browser plugins
+    def self.is_valid_cookies?(str)
-  # @todo Verify if the ruby version statement is still necessary
+      return false unless is_non_empty_string?(str)
-  def self.is_valid_browser_plugins?(str)
+      return false if has_non_printable_char?(str)
-    return false unless is_non_empty_string?(str)
+      return false if str.length > 2000
-    return false if str.length > 1000
+
-    if str.encoding === Encoding.find('UTF-8')
+      true
-      return (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
+    end
-    else
+
-      return (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
+    # Verify the system platform is valid
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid system platform characters
    def self.is_valid_system_platform?(str)
      return false unless is_non_empty_string?(str)
      return false if has_non_printable_char?(str)
      return false if str.length > 200
      true
    end
    # Verify the date stamp is valid
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid date stamp characters
    def self.is_valid_date_stamp?(str)
      return false unless is_non_empty_string?(str)
      return false if has_non_printable_char?(str)
      return false if str.length > 200
      true
    end
    # Verify the CPU type string is valid
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid CPU type characters
    def self.is_valid_cpu?(str)
      return false unless is_non_empty_string?(str)
      return false if has_non_printable_char?(str)
      return false if str.length > 200
      true
    end
    # Verify the memory string is valid
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid memory type characters
    def self.is_valid_memory?(str)
      return false unless is_non_empty_string?(str)
      return false if has_non_printable_char?(str)
      return false if str.length > 200
      true
    end
    # Verify the GPU type string is valid
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid GPU type characters
    def self.is_valid_gpu?(str)
      return false unless is_non_empty_string?(str)
      return false if has_non_printable_char?(str)
      return false if str.length > 200
      true
    end
    # Verify the browser_plugins string is valid
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid browser plugin characters
    # @note This string can be empty if there are no browser plugins
    # @todo Verify if the ruby version statement is still necessary
    def self.is_valid_browser_plugins?(str)
      return false unless is_non_empty_string?(str)
      return false if str.length > 1000
      if str.encoding === Encoding.find('UTF-8')
        (str =~ /[^\w\d\s()-.,';_!\302\256]/u).nil?
      else
        (str =~ /[^\w\d\s()-.,';_!\302\256]/n).nil?
      end
    end
  end
 end  
 end
--- a/core/filters/command.rb
+++ b/core/filters/command.rb
@@ -1,67 +1,71 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module Filters
+  module Filters
-    
+    # Check if the string is a valid path from a HTTP request
-  # Check if the string is a valid path from a HTTP request
+    # @param [String] str String for testing
-  # @param [String] str String for testing
+    # @return [Boolean] If the string has valid path characters
-  # @return [Boolean] If the string has valid path characters
+    def self.is_valid_path_info?(str)
-  def self.is_valid_path_info?(str)
+      return false if str.nil?
-    return false if str.nil?
+      return false unless str.is_a? String
-    return false unless str.is_a? String
+      return false if has_non_printable_char?(str)
    return false if has_non_printable_char?(str)
    true
  end
-  # Check if the session id valid
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid hook session id characters
  def self.is_valid_hook_session_id?(str)
    return false unless is_non_empty_string?(str)
    return false unless has_valid_key_chars?(str) 
    true
  end
-  # Check if valid command module datastore key
+    # Check if the session id valid
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid command module datastore key characters
+    # @return [Boolean] If the string has valid hook session id characters
-  def self.is_valid_command_module_datastore_key?(str)
+    def self.is_valid_hook_session_id?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false unless has_valid_key_chars?(str)      
+      return false unless has_valid_key_chars?(str)
    true
  end
-  # Check if valid command module datastore value
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the string has valid command module datastore param characters
  def self.is_valid_command_module_datastore_param?(str)
    return false if has_null?(str)
    return false unless has_valid_base_chars?(str)
    true
  end
-  # Check for word and some punc chars
+    # Check if valid command module datastore key
-  # @param [String] str String for testing
+    # @param [String] str String for testing
-  # @return [Boolean] If the string has valid key characters
+    # @return [Boolean] If the string has valid command module datastore key characters
-  def self.has_valid_key_chars?(str)
+    def self.is_valid_command_module_datastore_key?(str)
-    return false unless is_non_empty_string?(str)
+      return false unless is_non_empty_string?(str)
-    return false unless has_valid_base_chars?(str)
+      return false unless has_valid_key_chars?(str)
    true
  end
-  # Check for word and underscore chars
+      true
-  # @param [String] str String for testing
+    end
  # @return [Boolean] If the sting has valid param characters
  def self.has_valid_param_chars?(str)
    return false if str.nil?
    return false unless str.is_a? String
    return false if str.empty?
    return false unless (str =~ /[^\w_\:]/).nil?
    true
  end
-end
+    # Check if valid command module datastore value
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid command module datastore param characters
    def self.is_valid_command_module_datastore_param?(str)
      return false if has_null?(str)
      return false unless has_valid_base_chars?(str)
      true
    end
    # Check for word and some punc chars
    # @param [String] str String for testing
    # @return [Boolean] If the string has valid key characters
    def self.has_valid_key_chars?(str)
      return false unless is_non_empty_string?(str)
      return false unless has_valid_base_chars?(str)
      true
    end
    # Check for word and underscore chars
    # @param [String] str String for testing
    # @return [Boolean] If the sting has valid param characters
    def self.has_valid_param_chars?(str)
      return false if str.nil?
      return false unless str.is_a? String
      return false if str.empty?
      return false unless (str =~ /[^\w_:]/).nil?
      true
    end
  end
 end
--- a/core/filters/http.rb
+++ b/core/filters/http.rb
@@ -1,61 +1,62 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
-module BeEF  
+module BeEF
-module Filters
+  module Filters
-  
+    # Verify the hostname string is valid
-  # Verify the hostname string is valid
+    # @param [String] str String for testing
-  # @param [String] str String for testing
+    # @return [Boolean] If the string is a valid hostname
-  # @return [Boolean] If the string is a valid hostname
+    def self.is_valid_hostname?(str)
-  def self.is_valid_hostname?(str)
+      return false unless is_non_empty_string?(str)
-    return false unless is_non_empty_string?(str)
+      return false if has_non_printable_char?(str)
-    return false if has_non_printable_char?(str)
+      return false if str.length > 255
-    return false if str.length > 255
+      return false if (str =~ /^[a-zA-Z0-9][a-zA-Z0-9\-.]*[a-zA-Z0-9]$/).nil?
-    return false if (str =~ /^[a-zA-Z0-9][a-zA-Z0-9\-\.]*[a-zA-Z0-9]$/).nil?
+
-    true
+      true
    end
    def self.is_valid_verb?(verb)
      %w[HEAD GET POST OPTIONS PUT DELETE].each { |v| return true if verb.eql? v }
      false
    end
    def self.is_valid_url?(uri)
      return true unless uri.nil?
      # OPTIONS * is not yet supported
      # return true if uri.eql? "*"
      # TODO : CHECK THE normalize_path method and include it somewhere (maybe here)
      # return true if uri.eql? self.normalize_path(uri)
      false
    end
    def self.is_valid_http_version?(version)
      # from browsers the http version contains a space at the end ("HTTP/1.0\r")
      version.gsub!(/\r+/, '')
      ['HTTP/1.0', 'HTTP/1.1'].each { |v| return true if version.eql? v }
      false
    end
    def self.is_valid_host_str?(host_str)
      # from browsers the host header contains a space at the end
      host_str.gsub!(/\r+/, '')
      return true if 'Host:'.eql?(host_str)
      false
    end
    def normalize_path(path)
      print_error "abnormal path `#{path}'" if path[0] != '/'
      ret = path.dup
      ret.gsub!(%r{/+}o, '/')                    # //      => /
      while ret.sub!(%r{/\.(?:/|\Z)}, '/'); end  # /.      => /
      while ret.sub!(%r{/(?!\.\./)[^/]+/\.\.(?:/|\Z)}, '/'); end # /foo/.. => /foo
      print_error "abnormal path `#{path}'" if %r{/\.\.(/|\Z)} =~ ret
      ret
    end
  end
  def self.is_valid_verb?(verb)
    ["HEAD", "GET", "POST", "OPTIONS", "PUT", "DELETE"].each {|v| return true if verb.eql? v }
    false
  end
  def self.is_valid_url?(uri)
    return true if !uri.nil?
    # OPTIONS * is not yet supported
    #return true if uri.eql? "*"
    # TODO : CHECK THE normalize_path method and include it somewhere (maybe here)
    #return true if uri.eql? self.normalize_path(uri)
    false
  end
  def self.is_valid_http_version?(version)
    # from browsers the http version contains a space at the end ("HTTP/1.0\r")
    version.gsub!(/[\r]+/,"")
    ["HTTP/1.0", "HTTP/1.1"].each {|v| return true if version.eql? v }
    false
  end
  def self.is_valid_host_str?(host_str)
    # from browsers the host header contains a space at the end
    host_str.gsub!(/[\r]+/,"")
    return true if "Host:".eql?(host_str)
    false
  end 
  def normalize_path(path)
    print_error "abnormal path `#{path}'" if path[0] != ?/
    ret = path.dup
    ret.gsub!(%r{/+}o, '/')                    # //      => /
    while ret.sub!(%r'/\.(?:/|\Z)', '/'); end  # /.      => /
    while ret.sub!(%r'/(?!\.\./)[^/]+/\.\.(?:/|\Z)', '/'); end # /foo/.. => /foo
    print_error "abnormal path `#{path}'" if %r{/\.\.(/|\Z)} =~ ret
    ret
  end
 end
 end
--- a/core/filters/page.rb
+++ b/core/filters/page.rb
@@ -1,30 +1,30 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
-module Filters
+  module Filters
-  
+    # Verify the page title string is valid
-  # Verify the page title string is valid
+    # @param [String] str String for testing
-  # @param [String] str String for testing
+    # @return [Boolean] If the string is a valid page title
-  # @return [Boolean] If the string is a valid page title
+    def self.is_valid_pagetitle?(str)
-  def self.is_valid_pagetitle?(str)
+      return false unless str.is_a? String
-    return false unless str.is_a? String
+      return false if has_non_printable_char?(str)
-    return false if has_non_printable_char?(str)
+      return false if str.length > 500 # CxF Increased this because some page titles are MUCH longer
    return false if str.length > 500 # CxF Increased this because some page titles are MUCH longer
    true
  end
-  # Verify the page referrer string is valid
+      true
-  # @param [String] str String for testing
+    end
-  # @return [Boolean] If the string is a valid referrer
+
-  def self.is_valid_pagereferrer?(str)
+    # Verify the page referrer string is valid
-    return false unless str.is_a? String
+    # @param [String] str String for testing
-    return false if has_non_printable_char?(str)
+    # @return [Boolean] If the string is a valid referrer
-    return false if str.length > 350
+    def self.is_valid_pagereferrer?(str)
-    true
+      return false unless str.is_a? String
      return false if has_non_printable_char?(str)
      return false if str.length > 350
      true
    end
  end
 end
 end
--- a/core/hbmanager.rb
+++ b/core/hbmanager.rb
@@ -1,24 +1,22 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module HBManager
    # Get hooked browser by session id
    # @param [String] sid hooked browser session id string
    # @return [BeEF::Core::Models::HookedBrowser] returns the associated Hooked Browser
    def self.get_by_session(sid)
-      BeEF::Core::Models::HookedBrowser.first(:session => sid)
+      BeEF::Core::Models::HookedBrowser.where(session: sid).first
    end
    # Get hooked browser by id
    # @param [Integer] id hooked browser database id
    # @return [BeEF::Core::Models::HookedBrowser] returns the associated Hooked Browser
    def self.get_by_id(id)
-      BeEF::Core::Models::HookedBrowser.first(:id => id)
+      BeEF::Core::Models::HookedBrowser.find(id)
    end
  end
 end
--- a/core/loader.rb
+++ b/core/loader.rb
@@ -1,6 +1,6 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
@@ -31,8 +31,7 @@ require 'execjs'
 require 'ansi'
 require 'term/ansicolor'
 require 'json'
-require 'data_objects'
+require 'otr-activerecord'
 require 'dm-do-adapter'
 require 'parseconfig'
 require 'erubis'
 require 'mime/types'
@@ -41,7 +40,6 @@ require 'resolv'
 require 'digest'
 require 'zip'
 require 'logger'
 # @note Logger
 require 'core/logger'
--- a/core/logger.rb
+++ b/core/logger.rb
@@ -1,6 +1,6 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
@@ -12,8 +12,8 @@ module BeEF
    attr_writer :logger
    def logger
-        @logger ||= Logger.new("#{$home_dir}/beef.log").tap do |log|
+      @logger ||= Logger.new("#{$home_dir}/beef.log").tap do |log|
-        log.progname = self.name
+        log.progname = name
        log.level = Logger::WARN
      end
    end
--- a/core/main/ar-migrations/001_create_command_modules.rb
+++ b/core/main/ar-migrations/001_create_command_modules.rb
@@ -0,0 +1,8 @@
 class CreateCommandModules < ActiveRecord::Migration[6.0]
  def change
    create_table :command_modules do |t|
      t.text :name
      t.text :path
    end
  end
 end
--- a/core/main/ar-migrations/002_create_hooked_browsers.rb
+++ b/core/main/ar-migrations/002_create_hooked_browsers.rb
@@ -0,0 +1,15 @@
 class CreateHookedBrowsers < ActiveRecord::Migration[6.0]
  def change
    create_table :hooked_browsers do |t|
      t.text :session
      t.text :ip
      t.text :firstseen
      t.text :lastseen
      t.text :httpheaders
      t.text :domain
      t.integer :port
      t.integer :count
      t.boolean :is_proxy
    end
  end
 end
--- a/core/main/ar-migrations/003_create_logs.rb
+++ b/core/main/ar-migrations/003_create_logs.rb
@@ -0,0 +1,10 @@
 class CreateLogs < ActiveRecord::Migration[6.0]
  def change
    create_table :logs do |t|
      t.text :logtype
      t.text :event
      t.datetime :date
      t.references :hooked_browser
    end
  end
 end
--- a/core/main/ar-migrations/004_create_commands.rb
+++ b/core/main/ar-migrations/004_create_commands.rb
@@ -0,0 +1,12 @@
 class CreateCommands < ActiveRecord::Migration[6.0]
  def change
    create_table :commands do |t|
      t.references :command_module
      t.references :hooked_browser
      t.text :data
      t.datetime :creationdate
      t.text :label
      t.boolean :instructions_sent, default: false
    end
  end
 end
--- a/core/main/ar-migrations/005_create_results.rb
+++ b/core/main/ar-migrations/005_create_results.rb
@@ -0,0 +1,11 @@
 class CreateResults < ActiveRecord::Migration[6.0]
  def change
    create_table :results do |t|
      t.references :command
      t.references :hooked_browser
      t.datetime :date
      t.integer :status
      t.text :data
    end
  end
 end
--- a/core/main/ar-migrations/006_create_option_caches.rb
+++ b/core/main/ar-migrations/006_create_option_caches.rb
@@ -0,0 +1,8 @@
 class CreateOptionCaches < ActiveRecord::Migration[6.0]
  def change
    create_table :option_caches do |t|
      t.text :name
      t.text :value
    end
  end
 end
--- a/core/main/ar-migrations/007_create_browser_details.rb
+++ b/core/main/ar-migrations/007_create_browser_details.rb
@@ -0,0 +1,9 @@
 class CreateBrowserDetails < ActiveRecord::Migration[6.0]
  def change
    create_table :browser_details do |t|
      t.text :session_id
      t.text :detail_key
      t.text :detail_value
    end
  end
 end
--- a/core/main/ar-migrations/008_create_executions.rb
+++ b/core/main/ar-migrations/008_create_executions.rb
@@ -0,0 +1,14 @@
 class CreateExecutions < ActiveRecord::Migration[6.0]
  def change
    create_table :executions do |t|
      t.text :session_id
      t.integer :mod_count
      t.integer :mod_successful
      t.text :mod_body
      t.text :exec_time
      t.text :rule_token
      t.boolean :is_sent
      t.integer :rule_id
    end
  end
 end
--- a/core/main/ar-migrations/009_create_rules.rb
+++ b/core/main/ar-migrations/009_create_rules.rb
@@ -0,0 +1,16 @@
 class CreateRules < ActiveRecord::Migration[6.0]
  def change
    create_table :rules do |t|
      t.text :name
      t.text :author
      t.text :browser
      t.text :browser_version
      t.text :os
      t.text :os_version
      t.text :modules
      t.text :execution_order
      t.text :execution_delay
      t.text :chain_mode
    end
  end
 end
--- a/core/main/ar-migrations/010_create_interceptor.rb
+++ b/core/main/ar-migrations/010_create_interceptor.rb
@@ -0,0 +1,8 @@
 class CreateInterceptor < ActiveRecord::Migration[6.0]
  def change
    create_table :interceptors do |t|
      t.text :ip
      t.text :post_data
    end
  end
 end
--- a/core/main/ar-migrations/011_create_web_cloner.rb
+++ b/core/main/ar-migrations/011_create_web_cloner.rb
@@ -0,0 +1,8 @@
 class CreateWebCloner < ActiveRecord::Migration[6.0]
  def change
    create_table :web_cloners do |t|
      t.text :uri
      t.text :mount
    end
  end
 end
--- a/core/main/ar-migrations/013_create_network_host.rb
+++ b/core/main/ar-migrations/013_create_network_host.rb
@@ -0,0 +1,13 @@
 class CreateNetworkHost < ActiveRecord::Migration[6.0]
  def change
    create_table :network_hosts do |t|
      t.references :hooked_browser
      t.text :ip
      t.text :hostname
      t.text :ntype
      t.text :os
      t.text :mac
      t.text :lastseen
    end
  end
 end
--- a/core/main/ar-migrations/014_create_network_service.rb
+++ b/core/main/ar-migrations/014_create_network_service.rb
@@ -0,0 +1,11 @@
 class CreateNetworkService < ActiveRecord::Migration[6.0]
  def change
    create_table :network_services do |t|
      t.references :hooked_browser
      t.text :proto
      t.text :ip
      t.text :port
      t.text :ntype
    end
  end
 end
--- a/core/main/ar-migrations/015_create_http.rb
+++ b/core/main/ar-migrations/015_create_http.rb
@@ -0,0 +1,40 @@
 class CreateHttp < ActiveRecord::Migration[6.0]
  def change
    create_table :https do |t|
      t.text :hooked_browser_id
      # The http request to perform. In clear text.
      t.text :request
      # Boolean value as string to say whether cross-origin requests are allowed
      t.boolean :allow_cross_origin, default: true
      # The http response body received. In clear text.
      t.text :response_data
      # The http response code. Useful to handle cases like 404, 500, 302, ...
      t.integer :response_status_code
      # The http response code. Human-readable code: success, error, ecc..
      t.text :response_status_text
      # The port status. closed, open or not http
      t.text :response_port_status
      # The XHR Http response raw headers
      t.text :response_headers
      # The http response method. GET or POST.
      t.text :method
      # The content length for the request.
      t.text :content_length, default: 0
      # The request protocol/scheme (http/https)
      t.text :proto
      # The domain on which perform the request.
      t.text :domain
      # The port on which perform the request.
      t.text :port
      # Boolean value to say if the request was cross-origin
      t.text :has_ran, default: 'waiting'
      # The path of the request.
      # Example: /secret.html
      t.text :path
      # The date at which the http response has been saved.
      t.datetime :response_date
      # The date at which the http request has been saved.
      t.datetime :request_date
    end
  end
 end
--- a/core/main/ar-migrations/016_create_rtc_status.rb
+++ b/core/main/ar-migrations/016_create_rtc_status.rb
@@ -0,0 +1,9 @@
 class CreateRtcStatus < ActiveRecord::Migration[6.0]
  def change
    create_table :rtc_statuss do |t|
      t.references :hooked_browser
      t.integer :target_hooked_browser_id
      t.text :status
    end
  end
 end
--- a/core/main/ar-migrations/017_create_rtc_manage.rb
+++ b/core/main/ar-migrations/017_create_rtc_manage.rb
@@ -0,0 +1,9 @@
 class CreateRtcManage < ActiveRecord::Migration[6.0]
  def change
    create_table :rtc_manages do |t|
      t.references :hooked_browser
      t.text :message
      t.text :has_sent, default: 'waiting'
    end
  end
 end
--- a/core/main/ar-migrations/018_create_rtc_signal.rb
+++ b/core/main/ar-migrations/018_create_rtc_signal.rb
@@ -0,0 +1,10 @@
 class CreateRtcSignal < ActiveRecord::Migration[6.0]
  def change
    create_table :rtc_signals do |t|
      t.references :hooked_browser
      t.integer :target_hooked_browser_id
      t.text :signal
      t.text :has_sent, default: 'waiting'
    end
  end
 end
--- a/core/main/ar-migrations/019_create_rtc_module_status.rb
+++ b/core/main/ar-migrations/019_create_rtc_module_status.rb
@@ -0,0 +1,10 @@
 class CreateRtcModuleStatus < ActiveRecord::Migration[6.0]
  def change
    create_table :rtc_module_statuss do |t|
      t.references :hooked_browser
      t.references :command_module
      t.integer :target_hooked_browser_id
      t.text :status
    end
  end
 end
--- a/core/main/ar-migrations/020_create_xssrays_detail.rb
+++ b/core/main/ar-migrations/020_create_xssrays_detail.rb
@@ -0,0 +1,10 @@
 class CreateXssraysDetail < ActiveRecord::Migration[6.0]
  def change
    create_table :xssraysdetails do |t|
      t.references :hooked_browser
      t.text :vector_name
      t.text :vector_method
      t.text :vector_poc
    end
  end
 end
--- a/core/main/ar-migrations/021_create_dns_rule.rb
+++ b/core/main/ar-migrations/021_create_dns_rule.rb
@@ -0,0 +1,10 @@
 class CreateDnsRule < ActiveRecord::Migration[6.0]
  def change
    create_table :dns_rules do |t|
      t.text :pattern
      t.text :resource
      t.text :response
      t.text :callback
    end
  end
 end
--- a/core/main/ar-migrations/024_create_autoloader.rb
+++ b/core/main/ar-migrations/024_create_autoloader.rb
@@ -0,0 +1,8 @@
 class CreateAutoloader < ActiveRecord::Migration[6.0]
  def change
    create_table :autoloaders do |t|
      t.references :command
      t.boolean :in_use
    end
  end
 end
--- a/core/main/ar-migrations/025_create_xssrays_scan.rb
+++ b/core/main/ar-migrations/025_create_xssrays_scan.rb
@@ -0,0 +1,14 @@
 class CreateXssraysScan < ActiveRecord::Migration[6.0]
  def change
    create_table :xssraysscans do |t|
      t.references :hooked_browser
      t.datetime :scan_start
      t.datetime :scan_finish
      t.text :domain
      t.text :cross_origin
      t.integer :clean_timeout
      t.boolean :is_started
      t.boolean :is_finished
    end
  end
 end
--- a/core/main/autorun_engine/engine.rb
+++ b/core/main/autorun_engine/engine.rb
@@ -1,14 +1,12 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Core
    module AutorunEngine
      class Engine
        include Singleton
        def initialize
@@ -20,54 +18,264 @@ module BeEF
          @debug_on = @config.get('beef.debug')
-          @VERSION = ['<','<=','==','>=','>','ALL']
+          @VERSION = ['<', '<=', '==', '>=', '>', 'ALL']
-          @VERSION_STR = ['XP','Vista']
+          @VERSION_STR = %w[XP Vista 7]
        end
        # Checks if there are any ARE rules to be triggered for the specified hooked browser.
        #
        # Returns an array with rule IDs that matched and should be triggered.
        # if rule_id is specified, checks will be executed only against the specified rule (useful
        #  for dynamic triggering of new rulesets ar runtime)
        def find_matching_rules_for_zombie(browser, browser_version, os, os_version)
          rules = BeEF::Core::Models::Rule.all
          return if rules.nil?
          return if rules.empty?
          # TODO: handle cases where there are multiple ARE rules for the same hooked browser.
          # maybe rules need to have priority or something?
          print_info '[ARE] Checking if any defined rules should be triggered on target.'
          match_rules = []
          rules.each do |rule|
            next unless zombie_matches_rule?(browser, browser_version, os, os_version, rule)
            match_rules.push(rule.id)
            print_more("Hooked browser and OS match rule: #{rule.name}.")
          end
          print_more("Found [#{match_rules.length}/#{rules.length}] ARE rules matching the hooked browser.")
          match_rules
        end
        # @return [Boolean]
        # Note: browser version checks are supporting only major versions, ex: C 43, IE 11
        # Note: OS version checks are supporting major/minor versions, ex: OSX 10.10, Windows 8.1
        def zombie_matches_rule?(browser, browser_version, os, os_version, rule)
          return false if rule.nil?
          unless zombie_browser_matches_rule?(browser, browser_version, rule)
            print_debug("Browser version check -> (hook) #{browser_version} #{rule.browser_version} (rule) : does not match")
            return false
          end
          print_debug("Browser version check -> (hook) #{browser_version} #{rule.browser_version} (rule) : matched")
          unless zombie_os_matches_rule?(os, os_version, rule)
            print_debug("OS version check -> (hook) #{os_version} #{rule.os_version} (rule): does not match")
            return false
          end
          print_debug("OS version check -> (hook) #{os_version} #{rule.os_version} (rule): matched")
          true
        rescue StandardError => e
          print_error e.message
          print_debug e.backtrace.join("\n")
        end
        # @return [Boolean]
        # TODO: This should be updated to support matching multiple OS (like the browser check below)
        def zombie_os_matches_rule?(os, os_version, rule)
          return false if rule.nil?
          return false unless rule.os == 'ALL' || os == rule.os
          # check if the OS versions match
          os_ver_rule_cond = rule.os_version.split(' ').first
          return true if os_ver_rule_cond == 'ALL'
          return false unless @VERSION.include?(os_ver_rule_cond) || @VERSION_STR.include?(os_ver_rule_cond)
          os_ver_rule_maj = rule.os_version.split(' ').last.split('.').first
          os_ver_rule_min = rule.os_version.split(' ').last.split('.').last
          if os_ver_rule_maj == 'XP'
            os_ver_rule_maj = 5
            os_ver_rule_min = 0
          elsif os_ver_rule_maj == 'Vista'
            os_ver_rule_maj = 6
            os_ver_rule_min = 0
          elsif os_ver_rule_maj == '7'
            os_ver_rule_maj = 6
            os_ver_rule_min = 0
          end
          # Most of the times Linux/*BSD OS doesn't return any version
          # (TODO: improve OS detection on these operating systems)
          if !os_version.nil? && !@VERSION_STR.include?(os_version)
            os_ver_hook_maj = os_version.split('.').first
            os_ver_hook_min = os_version.split('.').last
            # the following assignments to 0 are need for later checks like:
            # 8.1 >= 7, because if the version doesn't have minor versions, maj/min are the same
            os_ver_hook_min = 0 if os_version.split('.').length == 1
            os_ver_rule_min = 0 if rule.os_version.split('.').length == 1
          else
            # XP is Windows 5.0 and Vista is Windows 6.0. Easier for comparison later on.
            # TODO: BUG: This will fail horribly if the target OS is Windows 7 or newer,
            # as no version normalization is performed.
            # TODO: Update this for every OS since Vista/7 ...
            if os_version == 'XP'
              os_ver_hook_maj = 5
              os_ver_hook_min = 0
            elsif os_version == 'Vista'
              os_ver_hook_maj = 6
              os_ver_hook_min = 0
            elsif os_version == '7'
              os_ver_hook_maj = 6
              os_ver_hook_min = 0
            end
          end
          if !os_version.nil? || rule.os_version != 'ALL'
            os_major_version_match = compare_versions(os_ver_hook_maj.to_s, os_ver_rule_cond, os_ver_rule_maj.to_s)
            os_minor_version_match = compare_versions(os_ver_hook_min.to_s, os_ver_rule_cond, os_ver_rule_min.to_s)
            return false unless (os_major_version_match && os_minor_version_match)
          end
          true
        rescue StandardError => e
          print_error e.message
          print_debug e.backtrace.join("\n")
        end
        # @return [Boolean]
        def zombie_browser_matches_rule?(browser, browser_version, rule)
          return false if rule.nil?
          b_ver_cond = rule.browser_version.split(' ').first
          return false unless @VERSION.include?(b_ver_cond)
          b_ver = rule.browser_version.split(' ').last
          return false unless BeEF::Filters.is_valid_browserversion?(b_ver)
          # check if rule specifies multiple browsers
          if rule.browser =~ /\A[A-Z]+\Z/
              return false unless rule.browser == 'ALL' || browser == rule.browser
              # check if the browser version matches
              browser_version_match = compare_versions(browser_version.to_s, b_ver_cond, b_ver.to_s)
              return false unless browser_version_match
            else
              browser_match = false
              rule.browser.gsub(/[^A-Z,]/i, '').split(',').each do |b|
                if b == browser || b == 'ALL'
                  browser_match = true
                  break
                end
              end
              return false unless browser_match
          end
          true
        rescue StandardError => e
          print_error e.message
          print_debug e.backtrace.join("\n")
        end
        # Check if the hooked browser type/version and OS type/version match any Rule-sets
-        # stored in the BeEF::Core::AutorunEngine::Models::Rule database table
+        # stored in the BeEF::Core::Models::Rule database table
        # If one or more Rule-sets do match, trigger the module chain specified
-        def run(hb_id, browser_name, browser_version, os_name, os_version)
+        def find_and_run_all_matching_rules_for_zombie(hb_id)
          return if hb_id.nil?
          hb_details = BeEF::Core::Models::BrowserDetails
          browser_name = hb_details.get(hb_id, 'browser.name')
          browser_version = hb_details.get(hb_id, 'browser.version')
          os_name = hb_details.get(hb_id, 'host.os.name')
          os_version = hb_details.get(hb_id, 'host.os.version')
          are = BeEF::Core::AutorunEngine::Engine.instance
-          match_rules = are.match(browser_name, browser_version, os_name, os_version)
+          rules = are.find_matching_rules_for_zombie(browser_name, browser_version, os_name, os_version)
-          are.trigger(match_rules, hb_id) if match_rules !=nil && match_rules.length > 0
+
          return if rules.nil?
          return if rules.empty?
          are.run_rules_on_zombie(rules, hb_id)
        end
        # Run the specified rule IDs on the specified zombie ID
        # only if the rules match.
        def run_matching_rules_on_zombie(rule_ids, hb_id)
          return if rule_ids.nil?
          return if hb_id.nil?
          rule_ids = [rule_ids.to_i] if rule_ids.is_a?(String)
          hb_details = BeEF::Core::Models::BrowserDetails
          browser_name = hb_details.get(hb_id, 'browser.name')
          browser_version = hb_details.get(hb_id, 'browser.version')
          os_name = hb_details.get(hb_id, 'host.os.name')
          os_version = hb_details.get(hb_id, 'host.os.version')
          are = BeEF::Core::AutorunEngine::Engine.instance
          rules = are.find_matching_rules_for_zombie(browser_name, browser_version, os_name, os_version)
          return if rules.nil?
          return if rules.empty?
          new_rules = []
          rules.each do |rule|
            new_rules << rule if rule_ids.include?(rule)
          end
          return if new_rules.empty?
          are.run_rules_on_zombie(new_rules, hb_id)
        end
        # Run the specified rule IDs on the specified zombie ID
        # regardless of whether the rules match.
        # Prepare and return the JavaScript of the modules to be sent.
        # It also updates the rules ARE execution table with timings
-        def trigger(rule_ids, hb_id)
+        def run_rules_on_zombie(rule_ids, hb_id)
          return if rule_ids.nil?
          return if hb_id.nil?
          hb = BeEF::HBManager.get_by_id(hb_id)
          hb_session = hb.session
          rule_ids = [rule_ids] if rule_ids.is_a?(Integer)
          rule_ids.each do |rule_id|
-            rule = BeEF::Core::AutorunEngine::Models::Rule.get(rule_id)
+            rule = BeEF::Core::Models::Rule.find(rule_id)
            modules = JSON.parse(rule.modules)
            execution_order = JSON.parse(rule.execution_order)
            execution_delay = JSON.parse(rule.execution_delay)
-            chain_mode  = rule.chain_mode
+            chain_mode = rule.chain_mode
-            mods_bodies = Array.new
+            unless %w[sequential nested-forward].include?(chain_mode)
-            mods_codes = Array.new
+              print_error("[ARE] Invalid chain mode '#{chain_mode}' for rule")
-            mods_conditions = Array.new
+              return
            end
            mods_bodies = []
            mods_codes = []
            mods_conditions = []
            # this ensures that if both rule A and rule B call the same module in sequential mode,
            # execution will be correct preventing wrapper functions to be called with equal names.
            rule_token = SecureRandom.hex(5)
            modules.each do |cmd_mod|
-              mod = BeEF::Core::Models::CommandModule.first(:name => cmd_mod['name'])
+              mod = BeEF::Core::Models::CommandModule.where(name: cmd_mod['name']).first
              options = []
              replace_input = false
-              cmd_mod['options'].each do|k,v|
+              cmd_mod['options'].each do |k, v|
-                options.push({'name' => k, 'value' => v})
+                options.push({ 'name' => k, 'value' => v })
                replace_input = true if v == '<<mod_input>>'
              end
              command_body = prepare_command(mod, options, hb_id, replace_input, rule_token)
              mods_bodies.push(command_body)
              mods_codes.push(cmd_mod['code'])
              mods_conditions.push(cmd_mod['condition'])
@@ -75,31 +283,32 @@ module BeEF
            # Depending on the chosen chain mode (sequential or nested/forward), prepare the appropriate wrapper
            case chain_mode
-              when 'nested-forward'
+            when 'nested-forward'
-                wrapper = prepare_nested_forward_wrapper(mods_bodies, mods_codes, mods_conditions, execution_order, rule_token)
+              wrapper = prepare_nested_forward_wrapper(mods_bodies, mods_codes, mods_conditions, execution_order, rule_token)
-              when 'sequential'
+            when 'sequential'
-                wrapper = prepare_sequential_wrapper(mods_bodies, execution_order, execution_delay, rule_token)
+              wrapper = prepare_sequential_wrapper(mods_bodies, execution_order, execution_delay, rule_token)
-              else
+            else
-                wrapper = nil
+              # we should never get here. chain mode is validated earlier.
-                print_error "Chain mode looks wrong!"
+              print_error("[ARE] Invalid chain mode '#{chain_mode}'")
-                # TODO catch error, which should never happen as values are checked way before ;-)
+              next
            end
-            are_exec = BeEF::Core::AutorunEngine::Models::Execution.new(
+            print_more "Triggering rules #{rule_ids} on HB #{hb_id}"
-                :session => hb_session,
+
-                :mod_count => modules.length,
+            are_exec = BeEF::Core::Models::Execution.new(
-                :mod_successful => 0,
+              session_id: hb_session,
-                :rule_token => rule_token,
+              mod_count: modules.length,
-                :mod_body => wrapper,
+              mod_successful: 0,
-                :is_sent => false,
+              rule_token: rule_token,
-                :rule_id => rule_id
+              mod_body: wrapper,
              is_sent: false,
              rule_id: rule_id
            )
-            are_exec.save
+            are_exec.save!
            # Once Engine.check() verified that the hooked browser match a Rule, trigger the Rule ;-)
            print_more "Triggering ruleset #{rule_ids.to_s} on HB #{hb_id}"
          end
        end
        private
        # Wraps module bodies in their own function, using setTimeout to trigger them with an eventual delay.
        # Launch order is also taken care of.
@@ -114,7 +323,7 @@ module BeEF
          delayed_exec = ''
          c = 0
          while c < mods.length
-            delayed_exec += %Q| setTimeout(function(){#{mods[order[c]][:mod_name]}_#{rule_token}();}, #{delay[c]}); |
+            delayed_exec += %| setTimeout(function(){#{mods[order[c]][:mod_name]}_#{rule_token}();}, #{delay[c]}); |
            mod_body = mods[order[c]][:mod_body].to_s.gsub("#{mods[order[c]][:mod_name]}_mod_output", "#{mods[order[c]][:mod_name]}_#{rule_token}_mod_output")
            wrapped_mod = "#{mod_body}\n"
            wrapper += wrapped_mod
@@ -141,16 +350,17 @@ module BeEF
        #     if the first once return with success. Also, the second module has the possibility of mangling first
        #     module output and use it as input for some of its module inputs.
        def prepare_nested_forward_wrapper(mods, code, conditions, order, rule_token)
-          wrapper, delayed_exec = '',''
+          wrapper = ''
-          delayed_exec_footers = Array.new
+          delayed_exec = ''
          delayed_exec_footers = []
          c = 0
          while c < mods.length
-            if mods.length == 1
+            i = if mods.length == 1
-              i = c
+                  c
-            else
+                else
-              i = c + 1
+                  c + 1
-            end
+                end
            code_snippet = ''
            mod_input = ''
@@ -159,11 +369,11 @@ module BeEF
              mod_input = 'mod_input'
            end
-            conditions[i] = true if conditions[i] == nil || conditions[i] == ''
+            conditions[i] = true if conditions[i].nil? || conditions[i] == ''
            if c == 0
              # this is the first wrapper to prepare
-              delayed_exec += %Q|
+              delayed_exec += %|
                function #{mods[order[c]][:mod_name]}_#{rule_token}_f(){
                  #{mods[order[c]][:mod_name]}_#{rule_token}();
@@ -185,7 +395,7 @@ module BeEF
                         #{mods[order[c]][:mod_name]}_#{rule_token}_mod_output = mod_result[1];
              |
-              delayed_exec_footer = %Q|
+              delayed_exec_footer = %|
                     }
                    }
                  }
@@ -198,10 +408,10 @@ module BeEF
              delayed_exec_footers.push(delayed_exec_footer)
            elsif c < mods.length - 1
-              code_snippet = code_snippet.to_s.gsub(mods[order[c-1]][:mod_name], "#{mods[order[c-1]][:mod_name]}_#{rule_token}")
+              code_snippet = code_snippet.to_s.gsub(mods[order[c - 1]][:mod_name], "#{mods[order[c - 1]][:mod_name]}_#{rule_token}")
              # this is one of the wrappers in the middle of the chain
-              delayed_exec += %Q|
+              delayed_exec += %|
                function #{mods[order[c]][:mod_name]}_#{rule_token}_f(){
                  if(#{mods[order[c]][:mod_name]}_#{rule_token}_can_exec){
                     #{code_snippet}
@@ -223,7 +433,7 @@ module BeEF
                             #{mods[order[c]][:mod_name]}_#{rule_token}_mod_output = mod_result[1];
              |
-              delayed_exec_footer = %Q|
+              delayed_exec_footer = %|
                         }
                       }
                     }
@@ -236,9 +446,9 @@ module BeEF
              delayed_exec_footers.push(delayed_exec_footer)
            else
-              code_snippet = code_snippet.to_s.gsub(mods[order[c-1]][:mod_name], "#{mods[order[c-1]][:mod_name]}_#{rule_token}")
+              code_snippet = code_snippet.to_s.gsub(mods[order[c - 1]][:mod_name], "#{mods[order[c - 1]][:mod_name]}_#{rule_token}")
              # this is the last wrapper to prepare
-              delayed_exec += %Q|
+              delayed_exec += %|
                function #{mods[order[c]][:mod_name]}_#{rule_token}_f(){
                  if(#{mods[order[c]][:mod_name]}_#{rule_token}_can_exec){
                     #{code_snippet}
@@ -258,7 +468,6 @@ module BeEF
          wrapper
        end
        # prepare the command module (compiling the Erubis templating stuff), eventually obfuscate it,
        # and store it in the database.
        # Returns the raw module body after template substitution.
@@ -266,16 +475,16 @@ module BeEF
          config = BeEF::Core::Configuration.instance
          begin
            command = BeEF::Core::Models::Command.new(
-                :data => options.to_json,
+              data: options.to_json,
-                :hooked_browser_id => hb_id,
+              hooked_browser_id: hb_id,
-                :command_module_id => BeEF::Core::Configuration.instance.get("beef.module.#{mod.name}.db.id"),
+              command_module_id: BeEF::Core::Configuration.instance.get("beef.module.#{mod.name}.db.id"),
-                :creationdate => Time.new.to_i,
+              creationdate: Time.new.to_i,
-                :instructions_sent => true
+              instructions_sent: true
            )
-            command.save
+            command.save!
-            command_module = BeEF::Core::Models::CommandModule.first(:id => mod.id)
+            command_module = BeEF::Core::Models::CommandModule.find(mod.id)
-            if (command_module.path.match(/^Dynamic/))
+            if command_module.path.match(/^Dynamic/)
              # metasploit and similar integrations
              command_module = BeEF::Modules::Commands.const_get(command_module.path.split('/').last.capitalize).new
            else
@@ -293,18 +502,18 @@ module BeEF
            build_missing_beefjs_components(command_module.beefjs_components) unless command_module.beefjs_components.empty?
-            if config.get("beef.extension.evasion.enable")
+            if config.get('beef.extension.evasion.enable')
              evasion = BeEF::Extension::Evasion::Evasion.instance
              command_body = evasion.obfuscate(command_module.output) + "\n\n"
            else
-              command_body = command_module.output  + "\n\n"
+              command_body = command_module.output + "\n\n"
            end
            # @note prints the event to the console
            print_more "Preparing JS for command id [#{command.id}], module [#{mod.name}]"
-            replace_input ? mod_input = 'mod_input' : mod_input = ''
+            mod_input = replace_input ? 'mod_input' : ''
-            result = %Q|
+            result = %|
                var #{mod.name}_#{rule_token} = function(#{mod_input}){
                    #{clean_command_body(command_body, replace_input)}
                };
@@ -312,8 +521,8 @@ module BeEF
                var #{mod.name}_#{rule_token}_mod_output = null;
            |
-            return {:mod_name => mod.name, :mod_body => result}
+            { mod_name: mod.name, mod_body: result }
-          rescue =>  e
+          rescue StandardError => e
            print_error e.message
            print_debug e.backtrace.join("\n")
          end
@@ -324,163 +533,43 @@ module BeEF
        #
        # Also replace <<mod_input>> with mod_input variable if needed for chaining module output/input
        def clean_command_body(command_body, replace_input)
-          begin
+          cmd_body = command_body.lines.map(&:chomp)
-            cmd_body = command_body.lines.map(&:chomp)
+          wrapper_start_index, wrapper_end_index = nil
            wrapper_start_index,wrapper_end_index = nil
-            cmd_body.each_with_index do |line, index|
+          cmd_body.each_with_index do |line, index|
-              if line.to_s =~ /^(beef|[a-zA-Z]+)\.execute\(function\(\)/
+            if line.to_s =~ /^(beef|[a-zA-Z]+)\.execute\(function\(\)/
-                wrapper_start_index = index
+              wrapper_start_index = index
-                break
+              break
              end
            end
            if wrapper_start_index.nil?
              print_error "[ARE] Could not find module start index"
            end
            cmd_body.reverse.each_with_index do |line, index|
              if line.include?('});')
                wrapper_end_index = index
                break
              end
            end
            if wrapper_end_index.nil?
              print_error "[ARE] Could not find module end index"
            end
            cleaned_cmd_body = cmd_body.slice(wrapper_start_index..-(wrapper_end_index+1)).join("\n")
            if cleaned_cmd_body.eql?('')
              print_error "[ARE] No command to send"
            end
            # check if <<mod_input>> should be replaced with a variable name (depending if the variable is a string or number)
            if replace_input
              if cleaned_cmd_body.include?('"<<mod_input>>"')
                final_cmd_body = cleaned_cmd_body.gsub('"<<mod_input>>"','mod_input')
              elsif cleaned_cmd_body.include?('\'<<mod_input>>\'')
                final_cmd_body = cleaned_cmd_body.gsub('\'<<mod_input>>\'','mod_input')
              elsif cleaned_cmd_body.include?('<<mod_input>>')
                final_cmd_body = cleaned_cmd_body.gsub('\'<<mod_input>>\'','mod_input')
              else
                return cleaned_cmd_body
              end
              return final_cmd_body
            else
              return cleaned_cmd_body
            end
          rescue =>  e
            print_error "[ARE] There is likely a problem with the module's command.js parsing. Check Engine.clean_command_body"
          end
-        end
+          print_error '[ARE] Could not find module start index' if wrapper_start_index.nil?
          cmd_body.reverse.each_with_index do |line, index|
            if line.include?('});')
              wrapper_end_index = index
              break
            end
          end
          print_error '[ARE] Could not find module end index' if wrapper_end_index.nil?
-        # Checks if there are any ARE rules to be triggered for the specified hooked browser
+          cleaned_cmd_body = cmd_body.slice(wrapper_start_index..-(wrapper_end_index + 1)).join("\n")
-        #
+
-        # Note: browser version checks are supporting only major versions, ex: C 43, IE 11
+          print_error '[ARE] No command to send' if cleaned_cmd_body.eql?('')
-        # Note: OS version checks are supporting major/minor versions, ex: OSX 10.10, Windows 8.1
+
-        #
+          # check if <<mod_input>> should be replaced with a variable name (depending if the variable is a string or number)
-        # Returns an array with rule IDs that matched and should be triggered.
+          return cleaned_cmd_body unless replace_input
-        # if rule_id is specified, checks will be executed only against the specified rule (useful
+
-        #  for dynamic triggering of new rulesets ar runtime)
+          if cleaned_cmd_body.include?('"<<mod_input>>"')
-        def match(browser, browser_version, os, os_version, rule_id=nil)
+            cleaned_cmd_body.gsub('"<<mod_input>>"', 'mod_input')
-          match_rules = []
+          elsif cleaned_cmd_body.include?('\'<<mod_input>>\'')
-          if rule_id != nil
+            cleaned_cmd_body.gsub('\'<<mod_input>>\'', 'mod_input')
-            rules = [BeEF::Core::AutorunEngine::Models::Rule.get(rule_id)]
+          elsif cleaned_cmd_body.include?('<<mod_input>>')
            cleaned_cmd_body.gsub('\'<<mod_input>>\'', 'mod_input')
          else
-            rules = BeEF::Core::AutorunEngine::Models::Rule.all()
+            cleaned_cmd_body
          end
-          return nil if rules == nil
+        rescue StandardError => e
-          return nil unless rules.length > 0
+          print_error "[ARE] There is likely a problem with the module's command.js parsing. Check Engine.clean_command_body. #{e.message}"
          print_info "[ARE] Checking if any defined rules should be triggered on target."
          # TODO handle cases where there are multiple ARE rules for the same hooked browser.
          # TODO the above works well, but maybe rules need to have priority or something?
          rules.each do |rule|
            begin
              browser_match, os_match = false, false
              b_ver_cond = rule.browser_version.split(' ').first
              b_ver = rule.browser_version.split(' ').last
              os_ver_rule_cond = rule.os_version.split(' ').first
              os_ver_rule_maj = rule.os_version.split(' ').last.split('.').first
              os_ver_rule_min = rule.os_version.split(' ').last.split('.').last
              # Most of the times Linux/*BSD OS doesn't return any version
              # (TODO: improve OS detection on these operating systems)
              if os_version != nil && !@VERSION_STR.include?(os_version)
                os_ver_hook_maj = os_version.split('.').first
                os_ver_hook_min = os_version.split('.').last
                # the following assignments to 0 are need for later checks like:
                # 8.1 >= 7, because if the version doesn't have minor versions, maj/min are the same
                os_ver_hook_min = 0 if os_version.split('.').length == 1
                os_ver_rule_min = 0 if rule.os_version.split('.').length == 1
              else
                # most probably Windows XP or Vista. the following is a hack as Microsoft had the brilliant idea
                # to switch from strings to numbers in OS versioning. To prevent rewriting code later on,
                # we say that XP is Windows 5.0 and Vista is Windows 6.0. Easier for comparison later on.
                  os_ver_hook_maj, os_ver_hook_min = 5, 0 if os_version == 'XP'
                  os_ver_hook_maj, os_ver_hook_min = 6, 0 if os_version == 'Vista'
              end
              os_ver_rule_maj, os_ver_rule_min = 5, 0 if os_ver_rule_maj == 'XP'
              os_ver_rule_maj, os_ver_rule_min = 6, 0 if os_ver_rule_maj == 'Vista'
              next unless @VERSION.include?(b_ver_cond)
              next unless BeEF::Filters::is_valid_browserversion?(b_ver)
              next unless @VERSION.include?(os_ver_rule_cond) || @VERSION_STR.include?(os_ver_rule_cond)
              # os_ver without checks as it can be very different or even empty, for instance on linux/bsd)
              # skip rule unless the browser matches
              browser_match = false
              # check if rule specifies multiple browsers
              if rule.browser !~ /\A[A-Z]+\Z/
                rule.browser.gsub(/[^A-Z,]/i, '').split(',').each do |b|
                  browser_match = true if b == browser || b == 'ALL'
                end
              # else, only one browser
              else
                next unless rule.browser == 'ALL' || browser == rule.browser
                # check if the browser version matches
                browser_version_match = compare_versions(browser_version.to_s, b_ver_cond, b_ver.to_s)
                if browser_version_match
                  browser_match = true
                else
                  browser_match = false
                end
                print_more "Browser version check -> (hook) #{browser_version} #{rule.browser_version} (rule) : #{browser_version_match}"
              end
              next unless browser_match
              # skip rule unless the OS matches
              next unless rule.os == 'ALL' || os == rule.os
              # check if the OS versions match
              if os_version != nil || rule.os_version != 'ALL'
                os_major_version_match = compare_versions(os_ver_hook_maj.to_s, os_ver_rule_cond, os_ver_rule_maj.to_s)
                os_minor_version_match = compare_versions(os_ver_hook_min.to_s, os_ver_rule_cond, os_ver_rule_min.to_s)
              else
                # os_version_match = true if (browser doesn't return an OS version || rule OS version is ALL )
                os_major_version_match, os_minor_version_match = true, true
              end
              os_match = true if os_ver_rule_cond == 'ALL' || (os_major_version_match && os_minor_version_match)
              print_more "OS version check -> (hook) #{os_version} #{rule.os_version} (rule): #{os_major_version_match && os_minor_version_match}"
              if browser_match && os_match
                print_more "Hooked browser and OS type/version MATCH rule: #{rule.name}."
                match_rules.push(rule.id)
              end
            rescue =>  e
              print_error e.message
              print_debug e.backtrace.join("\n")
            end
          end
          print_more "Found [#{match_rules.length}/#{rules.length}] ARE rules matching the hooked browser type/version."
          return match_rules
        end
        # compare versions
@@ -491,7 +580,8 @@ module BeEF
          return true if cond == '<'  && ver_a <  ver_b
          return true if cond == '>=' && ver_a >= ver_b
          return true if cond == '>'  && ver_a >  ver_b
-          return false
+
          false
        end
      end
    end
--- a/core/main/autorun_engine/models/execution.rb
+++ b/core/main/autorun_engine/models/execution.rb
@@ -1,31 +0,0 @@
 #
 # Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
 # Browser Exploitation Framework (BeEF) - http://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Core
    module AutorunEngine
      module Models
        # @note Stored info about the execution of the ARE on hooked browsers.
        class Execution
          include DataMapper::Resource
          storage_names[:default] = 'core_areexecution'
          property :id, Serial
          property :session, Text                         # hooked browser session where a ruleset triggered
          property :mod_count, Integer                    # number of command modules of the ruleset
          property :mod_successful, Integer               # number of command modules that returned with success
          # By default Text is only 65K, so field length increased to 1 MB
          property :mod_body, Text,    :length => 1024000 # entire command module(s) body to be sent
          property :exec_time, String, :length => 15      # timestamp of ruleset triggering
          property :rule_token, String, :length => 10     # unique token to be appended to wrapper function names
          property :is_sent, Boolean
        end
      end
    end
  end
 end
--- a/core/main/autorun_engine/models/rule.rb
+++ b/core/main/autorun_engine/models/rule.rb
@@ -1,34 +0,0 @@
 #
 # Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
 # Browser Exploitation Framework (BeEF) - http://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Core
    module AutorunEngine
      module Models
        # @note Table stores the rules for the Distributed Engine.
        class Rule
          include DataMapper::Resource
          storage_names[:default] = 'core_arerules'
          property :id, Serial
          property :name, Text                                       # rule name
          property :author, String                                   # rule author
          property :browser, String, :length => 10                   # browser name
          property :browser_version, String, :length => 15           # browser version
          property :os, String, :length => 10                        # OS name
          property :os_version, String, :length => 15                # OS version
          property :modules, Text                                    # JSON stringyfied representation of the JSON rule for further parsing
          property :execution_order, Text                            # command module execution order
          property :execution_delay, Text                            # command module time delays
          property :chain_mode, String, :length => 40                 # rule chaining mode
          has n, :executions
        end
      end
    end
  end
 end
--- a/core/main/autorun_engine/parser.rb
+++ b/core/main/autorun_engine/parser.rb
@@ -1,89 +1,80 @@
 #
-# Copyright (c) 2006-2019 Wade Alcorn - wade@bindshell.net
+# Copyright (c) 2006-2026 Wade Alcorn - wade@bindshell.net
-# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# Browser Exploitation Framework (BeEF) - https://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 module BeEF
  module Core
    module AutorunEngine
      class Parser
        include Singleton
        def initialize
          @config = BeEF::Core::Configuration.instance
        end
-        BROWSER = ['FF','C','IE','S','O','ALL']
+        BROWSER = %w[FF C IE S O ALL]
-        OS = ['Linux','Windows','OSX','Android','iOS','BlackBerry','ALL']
+        OS = %w[Linux Windows OSX Android iOS BlackBerry ALL]
-        VERSION = ['<','<=','==','>=','>','ALL','Vista','XP']
+        VERSION = ['<', '<=', '==', '>=', '>', 'ALL', 'Vista', 'XP']
-        CHAIN_MODE = ['sequential','nested-forward']
+        CHAIN_MODE = %w[sequential nested-forward]
        MAX_VER_LEN = 15
        # Parse a JSON ARE file and returns an Hash with the value mappings
        def parse(name,author,browser, browser_version, os, os_version, modules, exec_order, exec_delay, chain_mode)
          begin
            success = [true]
-            return [false, 'Illegal chain_mode definition'] unless CHAIN_MODE.include?(chain_mode)
+        def parse(name, author, browser, browser_version, os, os_version, modules, execution_order, execution_delay, chain_mode)
-            return [false, 'Illegal rule name'] unless BeEF::Filters.is_non_empty_string?(name)
+          raise ArgumentError, "Invalid rule name: #{name}" unless BeEF::Filters.is_non_empty_string?(name)
-            return [false, 'Illegal author name'] unless BeEF::Filters.is_non_empty_string?(author)
+          raise ArgumentError, "Invalid author name: #{author}" unless BeEF::Filters.is_non_empty_string?(author)
-            # if multiple browsers were specified, check each browser
+          raise ArgumentError, "Invalid chain_mode definition: #{chain_mode}" unless CHAIN_MODE.include?(chain_mode)
-            if browser.kind_of?(Array)
+          raise ArgumentError, "Invalid os definition: #{os}" unless OS.include?(os)
              browser.each do |b|
                return [false, 'Illegal browser definition'] unless BROWSER.include?(b)
              end
            # else, if only one browser was specified, check browser and browser version
            else
              return [false, 'Illegal browser definition'] unless BROWSER.include?(browser)
              if browser_version != 'ALL'
                return [false, 'Illegal browser_version definition'] unless
                  VERSION.include?(browser_version[0,2].gsub(/\s+/,'')) &&
                      BeEF::Filters::is_valid_browserversion?(browser_version[2..-1].gsub(/\s+/,'')) && browser_version.length < MAX_VER_LEN
              end
            end
-            if os_version != 'ALL'
+          unless modules.size == execution_delay.size
-              return [false, 'Illegal os_version definition'] unless
+            raise ArgumentError, "Number of execution_delay values (#{execution_delay.size}) must be consistent with number of modules (#{modules.size})"
                  VERSION.include?(os_version[0,2].gsub(/\s+/,'')) &&
                      BeEF::Filters::is_valid_osversion?(os_version[2..-1].gsub(/\s+/,'')) && os_version.length < MAX_VER_LEN
            end
            return [false, 'Illegal os definition'] unless OS.include?(os)
            # check if module names, conditions and options are ok
            modules.each do |cmd_mod|
              mod = BeEF::Core::Models::CommandModule.first(:name => cmd_mod['name'])
              if mod != nil
                modk = BeEF::Module.get_key_by_database_id(mod.id)
                mod_options = BeEF::Module.get_options(modk)
                opt_count = 0
                mod_options.each do |opt|
                   if opt['name'] == cmd_mod['options'].keys[opt_count]
                     opt_count += 1
                   else
                     return [false, "The specified option (#{cmd_mod['options'].keys[opt_count]
                                             }) for module (#{cmd_mod['name']}) does not exist"]
                   end
                end
              else
                return [false, "The specified module name (#{cmd_mod['name']}) does not exist"]
              end
            end
            exec_order.each{ |order| return [false, 'execution_order values must be Integers'] unless order.integer?}
            exec_delay.each{ |delay| return [false, 'execution_delay values must be Integers'] unless delay.integer?}
            return [false, 'execution_order and execution_delay values must be consistent with modules numbers'] unless
                modules.size == exec_order.size && modules.size == exec_delay.size
            success
          rescue => e
            print_error "#{e.message}"
            print_debug "#{e.backtrace.join("\n")}"
            return [false, 'Something went wrong.']
          end
          execution_delay.each { |delay| raise TypeError, "Invalid execution_delay value: #{delay}. Values must be Integers." unless delay.is_a?(Integer) }
          unless modules.size == execution_order.size
            raise ArgumentError, "Number of execution_order values (#{execution_order.size}) must be consistent with number of modules (#{modules.size})"
          end
          execution_order.each { |order| raise TypeError, "Invalid execution_order value: #{order}. Values must be Integers." unless order.is_a?(Integer) }
          # if multiple browsers were specified, check each browser
          if browser.is_a?(Array)
            browser.each do |b|
              raise ArgumentError, "Invalid browser definition: #{browser}" unless BROWSER.include?(b)
            end
          # else, if only one browser was specified, check browser and browser version
          else
            raise ArgumentError, "Invalid browser definition: #{browser}" unless BROWSER.include?(browser)
            if browser_version != 'ALL' && !(VERSION.include?(browser_version[0, 2].gsub(/\s+/, '')) &&
                  BeEF::Filters.is_valid_browserversion?(browser_version[2..-1].gsub(/\s+/, '')) && browser_version.length < MAX_VER_LEN)
              raise ArgumentError, "Invalid browser_version definition: #{browser_version}"
            end
          end
          if os_version != 'ALL' && !(VERSION.include?(os_version[0, 2].gsub(/\s+/, '')) &&
                  BeEF::Filters.is_valid_osversion?(os_version[2..-1].gsub(/\s+/, '')) && os_version.length < MAX_VER_LEN)
            return ArgumentError, "Invalid os_version definition: #{os_version}"
          end
          # check if module names, conditions and options are ok
          modules.each do |cmd_mod|
            mod = BeEF::Core::Models::CommandModule.where(name: cmd_mod['name']).first
            raise "The specified module name (#{cmd_mod['name']}) does not exist" if mod.nil?
            modk = BeEF::Module.get_key_by_database_id(mod.id)
            mod_options = BeEF::Module.get_options(modk)
            opt_count = 0
            mod_options.each do |opt|
              if opt['name'] != cmd_mod['options'].keys[opt_count]
                raise ArgumentError, "The specified option (#{cmd_mod['options'].keys[opt_count]}) for module (#{cmd_mod['name']}) was not specified"
              end
              opt_count += 1
            end
          end
          true
        end
      end
    end
--- a/Show More
+++ b/Show More