OWASP Periodic Table of Vulnerabilities - Content Spoofing
Root Cause Summary
The application displays user-defined content in the URL or page body in a way that makes it appear to be legitimate site content.
Browser / Standards Solution
Define a new 40X status code that can be used instead of the current strategy employed by many sites of using a 200 response code for missing content or a 30x redirect, which is handled in the following way:
- The URL bar is overwritten with the contents of the Location header, which is restricted to a URL from the same origin as the original request.
- The response body specified by the server is displayed. If not specified, the browser substitutes a generic 404 page.
Generic Framework Solution
Custom Framework Solution
The framework must clearly segregate user-defined content from site-defined content.
Custom Code Solution
Discussion / Controversy
Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications.