Virual defacement allows attacker to display any message of his choice in ikus060/rdiffweb
Sep 22nd 2022
This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is generated solely because of how the application processes and renders user-supplied input.
Proof of Concept
- Go to https://rdiffweb-demo.ikus-soft.com
- Login using the credentials - admin , admin123
- Visit url : https://rdiffweb-demo.ikus-soft.com/This website has been hacked and the confidential data of all users have been compromised and leaked to public . You can craft your personal message here .
- Your message "This website has been hacked and the confidential data of all users have been compromised and leaked to public" will be displayed
Attack Scenario: Attacker constructs a malicious message.Attackers start posting this URL everywhere on social media. The message might get the attention of the media and several people might believe the news to be true which will cause huge business reputation and monetary damage
A professionally crafted defacement, delivered to the right recipients in a convincing manner, could be picked up by the news media and have real-world effects on people's behavior, stock prices, and so on, to the attacker's financial benefit.