Le Merveilleux Blog

Etiquettes : malware

Web SItE _ DefacinG_MethodologY

There are numerous issues that can allow this. The thing to keep in mind, is « defacing » only requires alteration of the content. So, this means access to how the content is stored.
If you are using static html pages, that could be done through FTP or whatever mechenism you use to upload your content to the site.
If you use dynamic content, such as a CMS system, that could be done by accessing the database where the content is stored, either through connecting to the database server, using sql injections, etc.

– SQL Injection



It depends a bit what you mean by defacing, normally defacing means you add text or pictures on a (the landing) page with some kind of message. For this to happen you need to be able to save the HTML with the changed content on the web server. You will need some kind of rights to upload files to the webserver to pull this off. XSS could also be used if you can save your XSS somewhere (think comments, forum etc.)

If you mean stealing data from a website then you could use SQL Injection, if the webmaster was so careless to save passwords to the database you could use this attack to find a login with enough rights to upload files, if the webmaster was then also careless you could perhaps even upload a new index.html.

Prevention consists of protecting against the OWASP top-10 (remote file include and SQLI and XSS would be your main areas of interest for defacing).

Defacing websites used to be a hot thing in the past, these days it is less used since there are many more dangerous attacks possible then to upload some silly message to a web server.

A nice archive of defaced websites is http://www.zone-h.org/archive



AV-Comparatives.org / Microsoft Security Essentials / Virustotal.com

On this site you will find independent comparatives of Anti-Virus software. All products listed in our comparatives are already a selection of some very good anti-virus products. In order to get included in our main tests, vendors must fulfill various conditions and minimum requirements.
source : http://www.av-comparatives.org/

Microsoft Security Essentials protège votre ordinateur en temps réel contre les virus, logiciels espions et autres logiciels malveillants.
source : Microsoft Security Essentials : téléchargement

Virustotal is a service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines.
source : http://www.virustotal.com/