Security Basics mailing list archives
Re: Web site defacing
From: Harshvardhan Parmar <harshvardhan.p () paladion net>
Date: Tue, 15 Nov 2011 12:48:25 +0530
Hello As mentioned by others, the primary requirement for defacement would be some kind of access to your content. SQL Injection and XSS are common ways to achieve this by attacking the application itself. CSRF could also be used, provided there is some option on your site which allows adding/modifying content. In case WebDAV is enabled and accessible remotely, it can also be used for defacement. Or I could use FTP to upload the defaced content, depending on how FTP is configured. Other ways would be using the file upload feature or SSI Injection. The attacks mentioned above are not exhaustive ways of defacing a website. In order to safeguard yourself, the following best practices should help. 1. Your web application must not be vulnerable to attacks 2. Any service which is not required must not be exposed to the users 3. All the services running should be safeguarded with strong authentication credentials 4. The folder where you store the code should only be accessible for local users; no remote access allowed These do not guarantee complete immunity to defacement but considerably reduce the chances of a successful attack. Of course, if you are using shared hosting, then a vulnerability on the co-hosted site makes you vulnerable as well. Regards Harsh On Mon, Nov 14, 2011 at 1:04 PM, a bv <vbavbalist () gmail com> wrote:
Hi, what kind of vulnerabilities , methodologies does it allow to deface a web site? And what must be the countermeasures regarding these? Regards ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Web site defacing a bv (Nov 14)
- Re: Web site defacing haZard0us (Nov 14)
- Re: Web site defacing Steven (Nov 14)
- Re: Web site defacing Littlefield, Tyler (Nov 14)
- Re: Web site defacing synja (Nov 14)
- Message not available
- Re: Web site defacing Harshvardhan Parmar (Nov 15)
- Re: Web site defacing Littlefield, Tyler (Nov 15)
- RES: Web site defacing Fábio Soto (Nov 15)
- Re: RES: Web site defacing synja (Nov 15)
- Re: RES: Web site defacing gold flake (Nov 16)
- Re: RES: Web site defacing Michele Orru (Nov 16)
- Re: Web site defacing Harshvardhan Parmar (Nov 15)
- Re: Web site defacing Dan Demeter (Nov 16)
- <Possible follow-ups>
- Re: Web site defacing akash . sharda (Nov 14)
- Re: Re: Web site defacing akash . sharda (Nov 17)