First, let’s begin with why skript kiddies choose to deface websites. Skript kiddies like the idea of hacking, they like how other people admire the hacker for their skills, however, the skript kiddie can’t hack, doest have many skills, and cant actually read and write code which negates the “hacker” in them.

To deface websites there are a few ways to do it, first and most common is using SQLi to bypass or uncover admin credentials to then login to the site as an admin, after that they depend on a local file inclusion vulnerability which allows for files such as .php extensions to be submitted to the site(some sites only allow .jpg, .png, etc, extensions so to bypass this you need to put shell.php.jpg, shell.jpg.php, etc). After that they open their “image” (shell) in a separate tab and then log into their shell, after that they select a directory such as index.html, copy and paste their .html source code into the respective field and then press “add defacement”, after this, they navigate to the home page and watch as the home page of the site has now been replaced with their .html page.

So are web defacement's targeted attacks? No, at least not most of the time, most of the time the skript kiddie is using a technique called “Google Dorking” to locate vulnerable websites that align with their dork.

Example of Google Dorks:

inurl:admin/index.php

inurl:administrator.php

inurl:administrator.asp

inurl:admin/index.php

inurl:adminlogin.aspx

As you can see the google dorks are looking for URLs that have “admin.aspx”, “Login”, “Admin panel”, etc. This tells Google to index websites with these URLs throwing back results to exposed administration panels. Most of the google dorks are outdated in terms of their design and security.

SQLi (Sequel injection) is used to bypass the login. Example of a SQLi payload is 1'or'1'='1. If one equals one, return the result if true. So next step is to copy and paste the sequel injection into the admin panel and hope (hackers don't hope) that it bypasses the login. A SQL injection attack takes advantage of a vulnerability in a web application that allows hackers to modify the queries that are being executed on the underlying database. Web applications that directly execute user inputs as a query are those that fall prey to SQL injections. This allows attackers to execute malicious queries, also known as malicious payloads on database servers.

Local file inclusion is used to upload a shell.php file to the website so that the hacker can upload their .html defacement page.

What you’ll need to perform a website defacement:

Google Dork

SQLi payloads

Shell.php

file.html

In conclusion, web defacement's are not impressive, takes literally no skill, and is frowned upon amongst other hackers. The real hackers are the ones who develop the web shells that the skript kiddies use to copy and paste code onto. You can go to sites like zone-h where these individuals fight to see who can deface the most websites.

Other common ways to deface sites is XSS, but we won't talk about cross site scripting in this article.