Le Merveilleux Blog

Etiquettes : password

Web SItE _ DefacinG_MethodologY

There are numerous issues that can allow this. The thing to keep in mind, is « defacing » only requires alteration of the content. So, this means access to how the content is stored.
If you are using static html pages, that could be done through FTP or whatever mechenism you use to upload your content to the site.
If you use dynamic content, such as a CMS system, that could be done by accessing the database where the content is stored, either through connecting to the database server, using sql injections, etc.

– SQL Injection



It depends a bit what you mean by defacing, normally defacing means you add text or pictures on a (the landing) page with some kind of message. For this to happen you need to be able to save the HTML with the changed content on the web server. You will need some kind of rights to upload files to the webserver to pull this off. XSS could also be used if you can save your XSS somewhere (think comments, forum etc.)

If you mean stealing data from a website then you could use SQL Injection, if the webmaster was so careless to save passwords to the database you could use this attack to find a login with enough rights to upload files, if the webmaster was then also careless you could perhaps even upload a new index.html.

Prevention consists of protecting against the OWASP top-10 (remote file include and SQLI and XSS would be your main areas of interest for defacing).

Defacing websites used to be a hot thing in the past, these days it is less used since there are many more dangerous attacks possible then to upload some silly message to a web server.

A nice archive of defaced websites is http://www.zone-h.org/archive



Mini MySqlat0r, XSSploit, FireForce, Webshag … …..

Mini MySqlat0r est un outil multiplateforme développé en Java destiné à auditer des sites Web pour tester et exploiter d’éventuelles failles SQL.
source : http://www.scrt.ch/attaque/telechargements/mini-mysqlat0r
XSSploit est un outil destiné à la détection automatisée et à l’exploitation des failles de type Cross-Site Scripting lors de missions de type test d’intrusion.
source: http://www.scrt.ch/attaque/telechargements/xssploit
Fireforce est une extension Firefox destinée à faire des attaques de type brute-force sur des formulaires envoyés en GET ou en POST.
Webshag est un outil, multiplateforme, destiné à l’audit de serveurs web. Intégralement écrit en Python, il regroupe une série de fonctionnalités utiles lors de tests d’intrusion de serveurs web, tels qu’un scanner d’URL et un « fuzzer » de fichiers.
source : http://www.scrt.ch/attaque/telechargements/webshag