OWASP Periodic Table of Vulnerabilities - Content Spoofing

Return to Periodic Table Working View

Root Cause Summary
The application displays user-defined content in the URL or page body in a way that makes it appear to be legitimate site content.

Browser / Standards Solution
Define a new 40X status code that can be used instead of the current strategy employed by many sites of using a 200 response code for missing content or a 30x redirect, which is handled in the following way:


 * The URL bar is overwritten with the contents of the Location header, which is restricted to a URL from the same origin as the original request.
 * The response body specified by the server is displayed. If not specified, the browser substitutes a generic 404 page.

Perimeter Solution
None

Generic Framework Solution
None

Custom Framework Solution
The framework must clearly segregate user-defined content from site-defined content.

Custom Code Solution
None

Discussion / Controversy
Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications.