Content spoofing, also known as virtual defacement or content injection, is an attack that targets a user through a web application injection vulnerability. If an application does not handle user supplied data properly, content can be supplied by an attacker to a web application, generally via a parameter value, which reflects back to the user. This way, a modified page is presented to the user, in the background of a trusted domain.
This attack is normally used as, in combination with social engineering, as the attack is misusing a code-based vulnerability and the user’s trust.
Also called as text based injection, content spoofing reflects user supplied data and delivers (displays) it on browser. It seems to be part of an application message. This occurs due to false handle user supplied data and delivers it in a way that seems rendered by an application. This way, a page that is already present in a trusted domain, can be modified by an attacker (valid application URL) and the URL can be sent to the victim.
Content Spoofing vs. Cross-site Scripting
Even if web applications use XSS mitigation techniques, such as output encoding, the application is still vulnerable to text-based spoofing attacks.
Content Spoofing Attacks Can Be Demonstrated by the following Examples
- HTML (hypertext markup language) injection. Following is a possible attack scenario.
- Attacker first finds a site that is vulnerable to HTML injection.
- The user of the website is sent a URL with a malicious code, by the attacker, through an email or social networking site.
- As the page is located in a trusted domain, the user will visit the page.
- When the page is accessed by the victim, the injected HTML code is delivered and presented to the user, inquiring about the username and password.
- The username and password are then sent to the attacker’s server.
Another example is to present wrong information to a user through text manipulation. Following is an attack scenario. For this scenario, we should assume proper output encoding has been implemented and that XSS is not possible:
- A web application that gives guidance to its users on whether a particular stock should be bought or sold,is identified by the attacker.
- A vulnerable parameter is identified by an attacker.
- A malicious link is crafted by an attacker, by marginally modifying a valid request.
- The modified request link is sent to a user and they click on the link.
- Using the attacker’s malicious recommendations, a valid webpage is created, and the user thinks that the recommendation was from the stock website.