Security Software Zone Security Software Zone
Home Contact Us
Search in
Forum SecurityToolbox Submit Software
Security Software Zone Login
Security Software Categories
News - Articles - Reviews
Free Newsletter
Join our mailing list and receive
security software news and
advice from our experts.
Submit
  Security Software Zone » Software Reviews » Privacy » Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate

Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate
Category: Privacy
Published: 02/02/2007, 12:02  
Editor: Security Software Zone
 
Print article
Send to a friend
Search in reviews

Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.

Some web pages are served using dynamically built HTML content sources. For example, the source location of a frame could be specified by a URL parameter value; http://foo.example/page?frame_src=
http://foo.example/file.html An attacker may be able to replace the "frame_src" parameter value with "frame_src=http://attacker.example/spoof.html". When the resulting web page is served, the browser location bar visibly remains under the user expected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate content. Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a Cross-site Scripting attack.

If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not. Users will implicitly trust the spoofed content since the browser location bar displays http://foo.example, when in fact the underlying HTML frame is referencing http://attacker.example. This attack exploits the trust relationship established between the user and the web site.

The technique has been used to create fake web pages including login forms, defacements, false press releases, etc. Example Creating a spoofed press release. Lets say a web site uses dynamically created HTML frames for their press release web pages. A user would visit a link such as: (http://foo.example/pr?pg=
http://foo.example/pr/01012003.html). The resulting web page HTML would be: Code Snippet: The "pr" web application in the example above creates the HTML with a static menu and a dynamically generated FRAME SRC. The "pr_content" frame pulls its source from the URL parameter value of "pg" to display the requested press release content. But what if an attacker altered the normal URL to: http://foo.example/pr?pg=http://attacker.example/spoofed_press_release.html? Without properly sanity checking the "pg" value, the resulting HTML would be: Code Snippet:

To the end user, the "attacker.example" spoofed content appears authentic and delivered from a legitimate source.
Bookmark to:
Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Del.icio.us Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to digg Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to FURL Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to reddit Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Technorati Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Yahoo My Web Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Stumble Upon Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Google Bookmarks Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to RawSugar Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Squidoo Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Spurl Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Netvouz Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Rojo Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Bloglines Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Tailrank
Add comment
Security Software Zone is not responsible for the content of these User comments. The views and opinions expressed are those of the individual poster and not the Security Software Zone.
User comments (0):

There is no comment for this review.
 
Reviews related to Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate
 

Learn How To Better Protect Your Company Against Identity Theft At The New New Training And Accountability Program E Works Consulting, Inc, At Little To No Cost
 E Works Consulting will be launching multiple campaigns and training procedures to assist in educating businesses and their employees on identity theft practices.
Read More >
08/30/2007, 20:01
 

Integrated Dashboard Tracks IT Asset Disposal and Ensures Industry Compliance: Asset Manager 2.0 Web Application Announced by Converge
 Converge announced the availability of  a robust Web-based application that allows enterprises to proactively monitor the security and financial impact of IT asset disposal, called Asset Manager 2.0.
Read More >
02/26/2008, 10:45
 

Every Question One May Have About Credit Will be Answered by The Credit Jungle
 With comprehensive explanations, forums, blogs and quizzes, it will be hard to ever feel lost in the world of credit again, because the Credit Jungle has every section of credit broken down into its simplest form.
Read More >
04/17/2008, 11:11
 

version 5.5 of Its Total Privacy Solution Released by Pointstone
 The most advanced information removal solution for protection against today's malicious online and offline threats is provided by Total Privacy 5.5.
Read More >
03/25/2008, 00:20
 

Amphora's PatentSafe Solution Selected by Functional Genetics, Inc.
 A key provider of electronic laboratory notebook (ELN) products for the biotech industry, Amphora Research Systems (http://www.amphora-research.com), announces the purchase of a biotechnology company leveraging innovative science to develop new therapeutics for infectious disease and to improve the quality and efficiency of biologics, Amphora's PatentSafe solution for researchers at Functional Genetics.
Read More >
05/16/2008, 13:24

Sponsored


Copyright © 2007 Security Software Zone. All Rights Reserved. Forum Submit Software Site Map
Our websites: Titan Backup Software Invisible Secrets Encryption Software System LifeGuard Cleaner
AlphaZip Compression Tool SafeBit Disk Encryption Security Software Zone PC District