Content Spoofing

Thank you for visiting OWASP.org. We recently migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.

Description

Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust. As a side note, this attack is widely misunderstood as a kind of bug that brings no impact.

Risk Factors

Risk factors depend on the business type of the application. If the application business brand is well known and has major competitors, this issue can be abused by malicious competitors/disgruntled employees/unsatisfied customers to trigger mass distributions of false messages to unsuspecting customers. Another factor that heightens the risk is by doing SEO injection in a way that search engines crawl and index crafted URLs with falsified messages.

By doing so, customers could be forced to switch to competitor’s products. This could lead to loss of monetary value until rectification is properly done by the victim business. For public traded companies, its shares will be falling down, leading to uncontrolled loss of millions.

Fake-text.png

Attack Scenario

An attacker compromised social accounts which have thousands of followers and distribute misleading Content Spoofing payload via Twitter/Facebook/Instagram/ similar popular channel. This will lead media to assume news is correct and create headline stories.

Applicable Industries

  • A business entity selling one type of product as a major business function

For example, Taxi hailing business, Online shopping business, Online service business

  • A business entity relying on the brand name

For example, Cosmetic brand, Airline brand

Threat Agents

  • Malicious competitors
  • Disgruntled employees
  • Unsatisfied customers
  • Scammers

Content Spoofing vs. Cross-site Scripting

Content spoofing is an attack that is closely related to Cross-site Scripting (XSS). While XSS uses [https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet