projects.webappsec.org
Open in
urlscan Pro
208.96.18.237
Public Scan
Submitted URL: http://webappsec.pbworks.com/Content-Spoofing
Effective URL: http://projects.webappsec.org/w/page/13246917/Content%20Spoofing
Submission: On January 03 via manual from US — Scanned from DE
Effective URL: http://projects.webappsec.org/w/page/13246917/Content%20Spoofing
Submission: On January 03 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /Content%20Spoofing
<form method="post" action="/Content%20Spoofing" id="editwikipage"><input type="hidden" name="process" value="edit_page">
<div id="editframe"></div>
</form>Text Content
* The Web Application Security Consortium log inhelp * Wiki * Pages & Files * If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old. * You already know Dokkio is an AI-powered assistant to organize & manage your digital files & messages. Very soon, Dokkio will support Outlook as well as One Drive. Check it out today! View CONTENT SPOOFING Page history last edited by Robert Auger 14 years ago Project: WASC Threat Classification Threat Type: Attack Reference ID: WASC-12 CONTENT SPOOFING Content Spoofing is an attack technique that allows an attacker to inject a malicious payload that is later misrepresented as legitimate content of a web application. TEXT ONLY CONTENT SPOOFING A common approach to dynamically build pages involves passing the body or portions thereof into the page via a query string value. This approach is common on error pages, or sites providing story or news entries. The content specified in this parameter is later reflected into the page to provide the content for the page. Example: http://foo.example/news?id=123&title=Company+y+stock+goes+up+5+percent+on+news+of+sale The "title" parameter in this example specifies the content that will appear in the HTML body for the news entries. If an attacker where to replace this content with something more sinister they might be able to falsify statements on the destination website. Example: http://foo.example/news?id=123title=Company+y+filing+for+bankrupcy+due+to+insider+corruption,+investors+urged+to+sell+by+finance+analyists... Upon visiting this link the user would believe the content being displayed as legitimate. In this example the falsified content is directly reflected back on the same page, however it is possible this payload may persist and be displayed on a future page visited by that user. MARKUP REFLECTED CONTENT SPOOFING Some web pages are served using dynamically built HTML content sources. For example, the source location of a frame <frame src="http://foo.example/file.html">) could be specified by a URL parameter value. (http://foo.example/page?frame_src=http://foo.example/file.html). An attacker may be able to replace the "frame_src" parameter value with "frame_src=http://attacker.example/spoof.html". Unlike redirectors, when the resulting web page is served the browser location bar visibly remains under the user expected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate content. Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a Cross-site Scripting attack [5]. If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not. Users will implicitly trust the spoofed content since the browser location bar displays http://foo.example, when in fact the underlying HTML frame is referencing http://attacker.example. This attack exploits the trust relationship established between the user and the web site. The technique has been used to create fake web pages including login forms, defacements, false press releases, etc. EXAMPLE Creating a spoofed press release. Let's say a web site uses dynamically created HTML frames for their press release web pages. A user would visit a link such as (http://foo.example/pr?pg=http://foo.example/pr/01012003.html). The resulting web page HTML would be: Code Snippet: <HTML> <FRAMESET COLS="100, *"> <FRAME NAME="pr_menu" src="menu.html"> <FRAME NAME="pr_content" src="http://foo.example/pr/01012003.html"> </FRAMESET> </HTML> The "pr" web application in the example above creates the HTML with a static menu and a dynamically generated FRAME SRC. The "pr_content" frame pulls its source from the URL parameter value of "pg" to display the requested press release content. But what if an attacker altered the normal URL to http://foo.example/pr?pg=http://attacker.example/spoofed_press_release.html? Without properly sanity checking the "pg" value, the resulting HTML would be: Code Snippet: <HTML> <FRAMESET COLS="100, *"> <FRAME NAME="pr_menu" src="menu.html"> <FRAME NAME="pr_content" src=" http://attacker.example/spoofed_press_release.html"> </FRAMESET> </HTML> To the end user, the "attacker.example" spoofed content appears authentic and delivered from a legitimate source. It is important to understand that if you are vulnerable to Cross-Site Scripting (XSS) you are likely vulnerable to content spoofing. Additionally you can be protected from XSS and still be vulnerable to Content Spoofing. REFERENCES [1] "A new spoof: all frames-based sites are vulnerable", SecureXpert Labs http://tbtf.com/archive/11-17-98.html#s02 [2] "Chapter 7 of 'Preventing Web Attacks with Apache' ", Ryan Barnett http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1170472,00.html [3] "Wired.com Image Viewer Hacked to Create Phony Steve Jobs Health Story" http://blog.wired.com/business/2009/01/wiredcom-imagev.html URL Redirector Abuse [4] http://projects.webappsec.org/URL-Redirector-Abuse Cross-site Scripting [5] http://projects.webappsec.org/Cross-Site-Scripting CONTENT SPOOFING PAGE TOOLS INSERT LINKS Insert links to other pages or uploaded files. Pages Images and files Insert a link to a new page 1. Loading... 1. No images or files uploaded yet. Insert image from URL Tip: To turn text into a link, highlight the text, then click on a page or file from the list above. COMMENTS (0) You don't have permission to comment on this page. Printable version * Tags: Threat Classification Content Spoofing tags changed * Check for plagiarism SIDEBAR WASC Projects * Distributed Open Proxy Honeypots * Script Mapping * Static Analysis Technologies Evaluation Criteria (NEW) * The Web Security Glossary * Web Application Firewall Evaluation Criteria * Web Application Security Scanner Evaluation Criteria * Web Application Security Statistics * Web Hacking Incidents Database * WASC Threat Classification WASC Project Leaders * Robert Auger * Ryan Barnett * Romain Gaucher * Sergey Gordeychik * Sherif Koussa * Ofer Shezaf * Brian Shura WASC Main Website * http://www.webappsec.org/ WASC Mailing Lists * http://lists.webappsec.org/ WASC on Twitter * http://twitter.com/wascupdates Join us on Linkedin! * http://www.linkedin.com/groups?gid=83336 RECENT ACTIVITY Show 0 new items * Static Code Analysis Listedited by Sherif Koussa * WASC TC Gap Analysisedited by Bil Corry * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger * WASC TC Gap Analysisedited by Robert Auger More activity...