Logo


1. Authentication
  1. Brute Force

  2. Insufficient Authentication

  3. Weak Password Recovery Validation

2. Authorization
  1. Credential/Session Prediction

  2. Insufficient Authorization

  3. Insufficient Session Expiration

  4. Session Fixation

3. Client-side Attacks
  1. Content Spoofing

  2. Cross-site Scripting

4. Command Execution
  1. Buffer Overflow
  2. Format String Attack
  3. LDAP Injection
  4. OS Commanding
  5. SQL Injection
  6. SSI Injection
  7. XPath Injection
5. Information Disclosure
  1. Directory Indexing

  2. Information Leakage

  3. Path Traversal

  4. Predictable Resource Location

6. Logical Attacks
  1. Abuse of Functionality

  2. Denial of Service

  3. Insufficient Anti-automation

  4. Insufficient Process Validation

Content Spoofing

Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. Some web pages are served using dynamically built HTML content sources. For example, the source location of a frame <frame src="http://foo.example/file.html"> could be specified by a URL parameter value. (http://foo.example/page?frame_src=http://foo.example/file.html). An attacker may be able to replace the "frame_src" parameter value with "frame_src=http://attacker.example/spoof.html". When the resulting web page is served, the browser location bar visibly remains under the user expected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate content.

Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a Cross-site Scripting attack. If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not. Users will implicitly trust the spoofed content since the browser location bar displays http://foo.example, when in fact the underlying HTML frame is referencing http://attacker.example.

This attack exploits the trust relationship established between the user and the web site. The technique has been used to create fake web pages including login forms, defacements, false press releases, etc.


Example
Creating a spoofed press release. Lets say a web site uses dynamically created HTML frames for their press release web pages. A user would visit a link such as: (http://foo.example/pr?pg=http://foo.example/pr/01012003.html). The resulting web page HTML would be: Code Snippet: <HTML> <FRAMESET COLS="100,*"> <FRAME NAME="pr_menu" SRC="menu.html"> <FRAME NAME="pr_content" SRC="http://foo.example/pr/01012003.html"> </FRAMESET> </HTML>
The "pr" web application in the example above creates the HTML with a static menu and a dynamically generated FRAME SRC. The "pr_content" frame pulls its source from the URL parameter value of "pg" to display the requested press release content. But what if an attacker altered the normal URL to:

http://foo.example/pr?pg=http://attacker.example/spoofed_press_release.html? Without properly sanity checking the "pg" value, the resulting HTML would be: Code Snippet: <HTML> <FRAMESET COLS="100,*"> <FRAME NAME="pr_menu" SRC="menu.html"> <FRAME NAME="pr_content" SRC=" http://attacker.example/spoofed_press_release.html"> </FRAMESET> </HTML>
To the end user, the "attacker.example" spoofed content appears authentic and delivered from a legitimate source.


References
"A new spoof: all frames-based sites are vulnerable" - SecureXpert Labs
http://tbtf.com/archive/11-17-98.html#s02

To receive your Free Application Vulnerability Assessment for testing of one attack vulnerability of your choice, please submit your payment of $99.00 for a second Content Spoofing attack vulnerability test.


Business Name:
Contact Information:
Email Address:
URL or IP adderss:
  

Other members of our business group:
Cloud-Security.us | US-scada.com

COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED