We have witnessed website defacement attacks by both state-sponsored and non-state hackers against Indian government and business websites when the Indian Armed Forces launched Operation Sindoor to respond to the terrorist attack at Pahalgam.

In the ever-evolving landscape of cybersecurity threats, website defacement remains one of the most visible and symbolic forms of attack. Unlike stealthy breaches aimed at stealing data, defacement is loud, public, and often meant to embarrass or deliver a message. It’s the digital equivalent of spray-painting a message across a billboard; in this case the billboard would be a globally-accessible web portal.

In such tense times, it becomes vital for organisations to ensure their websites are protected against attacks. In this blog, we’ll break down the most common vulnerabilities attackers exploit to deface websites or host malware, their Tactics Techniques and Procedures, and mitigations against such attacks. This is important for fullstack developers and maintainers of website infrastructure.

The most common vulnerabilities the attacker exploits to compromise a website are (in no particular order):

• Brute-force Attack
• SQL Injection
• Cross-Site Scripting
• HTML Injection
• Template Injection
• Remote File Inclusion
• Misconfigured Server Security 
• Directory Traversal & File Overwrite
• CSS Injection
• HTTP PUT Method
• Vulnerable Third-Party Components

Brute-force Attack

The attacker tries to brute-force the credentials of the site administrator on the target website. The common attack vectors are login pages, exposed services such as SSH, FTP and RDP, XML-RPC in WordPress-based websites. 

This can be prevented by implementing following security measures:

1. Ensure authorized access – Ensure that the access to the administrator interface is restricted to authorized users and IP address.
2. Use a strong password policy – Enforce strict password policy, i.e. long, complex passwords with symbols, numbers, and mixed cases.
3. Limit Login Attempts – Use rate limiting or lock out IPs after multiple failed logins.
4. Multi Factor Authentication (MFA) – Use multifactor (aka two-factor) authentication for login.
5. Disable unwanted services – Disable or restrict the services that are no longer required immediately and restrict access only to authorised users.
6. Disable XML-RPC service – Disable or restrict XML-RPC.php if not needed.

SQL Injection

The attacker tries to target the databases of the website by manipulating input data to gain administrative access or alter the content stored in the database, including headlines, homepage text, or banners which are retrieved from the database in some cases. This type of attack occurs when user input is improperly or inadequately sanitized and passed directly into SQL queries, allowing attackers to inject malicious SQL code that the database then blindly executes.

The preventive methods for SQL injection are:

1. Use Prepared Statements / Parameterized Queries – This ensures user input is treated only as data and never as code when the application interacts with the database.
2. Input Validation & Escaping – Validate input types, lengths and escape characters.
3. Error Message Handling – Suppress detailed SQL errors from being displayed to users, since these can give attackers hints about the backend techstack.

Cross-Site Scripting

Cross-Site Scripting (XSS) is a type of injection attack where malicious scripts are inserted into the websites. This occurs when an attacker is able to execute a script (stored/reflected) on a webpage which might load a pop up or replaces parts of the page (like headers, content blocks) with messages like “Hacked by XYZ” or an attacker loads external content over the original page, tricking users into thinking the site was defaced or compromised. This can also be used to steal session cookies if they are not configured securely.

Following are the prevention methods for the cross-site scripting attacks-

1. Content Security Policy (CSP) – Use CSP security header to  prevent the browser from executing unauthorized scripts.
2. Input Validation and Sanitization –  Validate input types (e.g., numbers, emails) and sanitize inputs to remove scripts or HTML tags.
3. Output Encoding – Encode output based on its context (HTML, JavaScript, URL, etc.) to prevent execution.

HTML Injection

HTML injection is a technique that allows an attacker to inject raw HTML code into the webpage, often through unsanitized user input, by altering the page’s structure or content like injecting large banners, messages, or altered fonts/colors to simulate defacement, which is then reflected directly on the webpage.

The prevention methods for this kind of attack include:

1. Content Security Policy (CSP) – Even for HTML injection, a CSP security header can prevent the inclusion of third-party content or resources.
2. HTML Encoding – All user input should be encoded before rendering.

Template Injection

Template Injection is a powerful exploit of a server-side vulnerability, occurring when untrusted user input is rendered by a web application within a server-side template engine without proper sanitization. When forms or URLs are dynamically included in templates without sanitization, the attackers can hijack them to rewrite how a page looks or behaves.

Some prevention methods are listed below:

1. Never Trust User Input in Templates – Avoid passing raw user input directly into the template context.
2. Use Safe Rendering Functions – Most frameworks offer “safe mode” or sandboxed rendering.
3. Content Security Policy (CSP) – While CSP can’t stop server-side template injection, it can reduce the impact by blocking injected scripts from executing in the browser.
4. Update Template Engines – Keep your template engine up to date, as security patches are frequently released for known bypass techniques.

Remote File Inclusion 

Remote File Inclusion (RFI) is the exploitation of a critical web vulnerability that allows an attacker to include and execute malicious code hosted on a remote server. It typically targets insecure functions such as include() or require() (functions in scripting languages like PHP), where user input is not properly sanitized.

In an RFI attack, a hacker tricks the website into loading a malicious script directly from an external URL. Once included, this script executes on the victim server with the same privileges as the web server.

To prevent this attack, the below listed methods can be implemented:

1. Never Pass User Input to Rendering Functions – Ensure that user input is sanitised before it is passed to the application
2. Avoid the use of rendering functions such as include() or require() which are known to be vulnerable to RFI attack. If unavoidable, at least disable allow_url_include in the php.ini.
3. Use a Web Application Firewall (WAF) –  This can detect known RFI patterns like http:// in URL parameters.

Misconfigured Server Security

When servers are improperly set up, whether through lax permissions, exposed directories, default credentials, or default configurations, the attackers can exploit these weaknesses to deface the website. Unlike code-based vulnerabilities, these flaws stem from infrastructure-level mistakes, often committed during setup or maintenance. 

Common attack vectors that enable defacement are:

• Publicly Accessible Admin Panels
• Directory Listing Enabled
• Outdated Software / Unpatched Systems
• Exposed Configuration Files

Here is a list of methods to help prevent exploitation of these weaknesses:

1. Restrict Admin Interfaces – Use IP whitelisting for sensitive control panels.
2. Disable Directory Listing – Disable the listing of directory in your server to deny directory browsing.
3. Outdated Software & Unpatched Services – Regularly patch the OS, web server, and installed packages. These updates contain security patches for known vulnerabilities which attackers would try to exploit.
4. Restrict Configuration Files Access – Disallow Access to Config Files via .htaccess or Server Rules.

Directory Traversal & File Overwrite

Directory Traversal (aka Path Traversal) is a critical vulnerability where attackers manipulate file paths in user inputs to navigate outside the intended directory structure. When this is combined with a file upload or overwrite flaw, it becomes a potent weapon for website defacement.

An attacker supplies a “../” sequence in input fields to break out of the web root directory. If a site has an insecure upload feature, it can overwrite the homepage effectively defacing the website. This vulnerability could also lead to unauthorised information disclosure.

This can be prevented using the below listed methods:

1. Sanitize File Paths – Never accept raw user input for file access or storage locations.
2. Whitelist Upload Locations – Lock uploads to a dedicated directory outside of sensitive folders.
3. Use Secure File Upload Libraries – Use libraries that enforce extension checks and restrict file paths.
4. Validate Filenames – Reject any filename that includes unexpected characters such as slashes, dots (../), etc.
   

CSS Injection

CSS Injection is a front-end vulnerability where attackers inject malicious Cascading Style Sheets (CSS) into a website, usually by exploiting input fields or URL parameters that are reflected in the page without proper sanitization. 

Some common CSS injection points into a website are:

• Search boxes / query parameters
• Comments or profile descriptions
• Feedback or contact forms
• URL fragments (#) and reflected GET parameters
• CMS plugins that improperly display content

Common prevention methods for this kind of attack are:

1. Sanitize Input on Both Client and Server – Server-side filtering is a must, but consider using front-end sanitization too for redundancy.
2. Whitelist Input Content – For comments, profiles, or bio-data, allow only plain text or a safe subset of HTML (like <strong>, <em>).
3. Always Escape HTML Output – Use proper encoding for user-generated content. Never allow raw <style> tags or CSS code in user input.
4. Audit Third-Party Plugins or CMS Themes – Many defacements occur through poorly-coded CMS plugins or themes that don’t sanitize user input properly.

HTTP PUT Method

The HTTP PUT method is designed to allow a client to upload or replace resources on a web server. If an attacker finds that your server allows PUT requests without authentication, they can upload arbitrary files including a custom index.html with a defacement message.

To prevent this attack, following methods can be implemented:

1. Disable PUT Method – Disable or restrict PUT method for unauthorized uploads on the server.
2. File Permission Hardening –  Even if PUT is enabled, use filesystem permissions to prevent writing to sensitive areas like /var/www/html.

Vulnerable Third-Party Components

These are software libraries, dependencies and frameworks that have known security flaws making them susceptible to attacks. Exploitation can happen if developers have integrated vulnerable third-party dependencies.

The attack vectors for this vulnerability are:

• CMS platforms (e.g. WordPress, Joomla, Drupal)
• Plugins and themes (e.g. outdated WordPress page builders or file managers)
• JavaScript libraries (e.g. jQuery, AngularJS)
• Backend packages (e.g. PHP modules, Python packages)

Prevention of these attack types lies in updating or patching the libraries or dependencies to the latest version:

1. Keep All Dependencies Updated – Enable auto-updates where possible (especially in WordPress).
2. Use Trusted Repositories Only – Avoid plugins/themes from shady websites offering pirated versions.
3. Enable File Integrity Monitoring – Use tools that alert you when files are modified unexpectedly (e.g. Wordfence, Tripwire).
4. Latest Patches – Do have a patch management process to ensure all components are patched on time.

Handling Of Authentication Credentials and Personally Identifiable Information (PII)

This section provides important guidelines on how to securely handle authentication credentials. Some points you need to take into account are:

1. Never hardcode credentials in your source code.
2. Ensure that the credentials and Personally Identifiable Information(PII) are encrypted while in transit.
3. Use encrypted storage (e.g. AES) if PII / credentials must be stored. 
4. Implement strict password policy.
5. Always hash the password before storing it into the database.
6. Salt the password with a random string before hashing it to make it harder for an attacker to crack and also to prevent leakage of user passwords in plain text.
7. Avoid logging credentials or sensitive data in log files.
8. Implement session timeout after a period of inactivity.

These are just a few of the known weaknesses that could make your website and its users a prime target. In addition to securing websites, employees and users need to be made aware of various security threats targeting them. We have also published a blog to protect mobile users against such attacks.

Admins and fullstack developers can also opt for various professional web protection services, including VAPT, to defend robustly against such attacks.

Let’s be resilient and vigilant against such attacks, especially in these tense times.