Web SItE _ DefacinG_MethodologY

There are numerous issues that can allow this. The thing to keep in mind, is « defacing » only requires alteration of the content. So, this means access to how the content is stored.
If you are using static html pages, that could be done through FTP or whatever mechenism you use to upload your content to the site.
If you use dynamic content, such as a CMS system, that could be done by accessing the database where the content is stored, either through connecting to the database server, using sql injections, etc.

– SQL Injection
– XSS
– CSRF

##############

Hello,

It depends a bit what you mean by defacing, normally defacing means you add text or pictures on a (the landing) page with some kind of message. For this to happen you need to be able to save the HTML with the changed content on the web server. You will need some kind of rights to upload files to the webserver to pull this off. XSS could also be used if you can save your XSS somewhere (think comments, forum etc.)

If you mean stealing data from a website then you could use SQL Injection, if the webmaster was so careless to save passwords to the database you could use this attack to find a login with enough rights to upload files, if the webmaster was then also careless you could perhaps even upload a new index.html.

Prevention consists of protecting against the OWASP top-10 (remote file include and SQLI and XSS would be your main areas of interest for defacing).

Defacing websites used to be a hot thing in the past, these days it is less used since there are many more dangerous attacks possible then to upload some silly message to a web server.

A nice archive of defaced websites is http://www.zone-h.org/archive

##################