Using XSS to deface a website (change its visual appearance) is not a very common attack. Nonetheless, it can be done, especially for persistent vulnerabilities, and it can cause serious reputation damage for a company whose website has been defaced, even if no change is made to the server's files.

You can change a website's appearance with JavaScript in many ways. For example, inserting HTML elements such as div or iframe, replacing style values, changing image sources, and many other techniques can alter a website's appearance. You can also use the innerHTML property of the document's body to replace the entire HTML code of the page.

Mutillidae II has a DOM XSS test form that will help us test this. In the menu, go to OWASP 2013 | A3 - Cross-Site Scripting (XSS) | DOM Injection | HTML5 Storage. This demo application saves information to the browser's HTML5 storage, and it contains a number of vulnerabilities. Here we will focus on the fact that it reflects the key when an element is added to storage, as can be seen in the following screenshot:

The form has some level of sanitization, as the script tags don't get reflected:

After some trial and error with different injection strings, you will find that an img tag with a nonexistent source (for example, the src parameter) works:

<img src=x onerror="document.body.innerHTML='<h1>Defaced with XSS</h1>'"> 

Setting that code as the key of the new element and clicking on Add New displays the following:

As mentioned earlier, an attack like this will not change the files on the web server, and the changes will be noticeable only to those users that run the malicious script. When a persistent XSS is exploited, the defacement may affect a large number of users as the attacker doesn't need to target every victim individually, as is the case with reflected and DOM-based XSS. Either way, this may lead users into giving sensitive information to attackers while thinking that they are submitting it to a legitimate website.