Security Software Zone Security Software Zone
Home Contact Us
Search in
Forum SecurityToolbox Submit Software
Security Software Zone Login
Security Software Categories
News - Articles - Reviews
Free Newsletter
Join our mailing list and receive
security software news and
advice from our experts.
Submit
  Security Software Zone » Software Reviews » Privacy » Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate

Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate
Category: Privacy
Published: 02/02/2007, 12:02  
Editor: Security Software Zone
 
Print article
Send to a friend
Search in reviews

Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.

Some web pages are served using dynamically built HTML content sources. For example, the source location of a frame could be specified by a URL parameter value; http://foo.example/page?frame_src=
http://foo.example/file.html An attacker may be able to replace the "frame_src" parameter value with "frame_src=http://attacker.example/spoof.html". When the resulting web page is served, the browser location bar visibly remains under the user expected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate content. Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a Cross-site Scripting attack.

If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not. Users will implicitly trust the spoofed content since the browser location bar displays http://foo.example, when in fact the underlying HTML frame is referencing http://attacker.example. This attack exploits the trust relationship established between the user and the web site.

The technique has been used to create fake web pages including login forms, defacements, false press releases, etc. Example Creating a spoofed press release. Lets say a web site uses dynamically created HTML frames for their press release web pages. A user would visit a link such as: (http://foo.example/pr?pg=
http://foo.example/pr/01012003.html). The resulting web page HTML would be: Code Snippet: The "pr" web application in the example above creates the HTML with a static menu and a dynamically generated FRAME SRC. The "pr_content" frame pulls its source from the URL parameter value of "pg" to display the requested press release content. But what if an attacker altered the normal URL to: http://foo.example/pr?pg=http://attacker.example/spoofed_press_release.html? Without properly sanity checking the "pg" value, the resulting HTML would be: Code Snippet:

To the end user, the "attacker.example" spoofed content appears authentic and delivered from a legitimate source.
Bookmark to:
Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Del.icio.us Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to digg Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to FURL Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to reddit Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Technorati Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Yahoo My Web Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Stumble Upon Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Google Bookmarks Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to RawSugar Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Squidoo Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Spurl Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Netvouz Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Rojo Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Bloglines Add 'Content Spoofing - How users are tricked into believing that certain content appearing on a web site is legitimate' to Tailrank

Add a comment for this review

Security Software Zone is not responsible for the content of these User comments.

The views and opinions expressed are those of the individual poster and not the Security Software Zone. Security Software Zone reserves the right to remove offensive or inappropriate messages. If you would like to post your own opinion please fill the fields below.  Maximum length 1250 characters.
Name
Subject
Text from the image
Comment
Submit
Sponsored


Copyright © 2007 Security Software Zone. All Rights Reserved. Forum Submit Software Site Map
Our websites: Titan Backup Software Invisible Secrets Encryption Software System LifeGuard Cleaner
AlphaZip Compression Tool SafeBit Disk Encryption Security Software Zone PC District