Content Spoofing (also known as Content Injection) is one of the common web security vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loopholes in the website to inject the content that he/she wishes to the target website. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.
There are two basic kinds of injection possible here:
- Text Injection
- HTML Injection
Injecting text content
In some cases, the actual content that is to be displayed on the UI, is passed via request parameters. For example a simple login form will pass the request as given below,
You may have a client-side validation to check if username and/or password is empty or not of the expected form and based on that you may display a message in the UI, that these fields cannot be empty. The problem happens when this message is appended as a request parameter like this,
Once the user sees this the request, he may modify the message as he/she wishes to and that will be displayed on the screen. This type of injection can be done on any part of the site if a message is passed via request parameters. Greater the visibility of the injected text, higher the chance of the site getting affected when someone uses the loophole.
The site might be a credible website and the user might add offensive content and spread the link and to the victim, it looks like the site owner has posted offensive content.
HTML injection is similar to text injection and as the name suggests it allows HTML content to be injected. This is a relatively severe class of Content spoofing vulnerability as it is possible to make offensive content more visible with HTML more than using plain text.
Injecting HTML content
Some sites do pass HTML Content too in request parameters. For example in pop ups or site banners, sites do pass the actual HTML content in parameters and make it sit inside a
div tag like,
And the value of the parameter divMessage is made to site inside a div and rendered as HTML without filtering. This is a serious vulnerability and it is obvious if exploited, it could bring down the credibility of the site to a greater extent.
It is possible to modify it as,
https://www.testsite.com/setAdContent?divMessage=<marquee><h1>Don't Use this site</h1><marquee>
and your own site will have a scrolling message saying not to use it.
XSS Via HTML Injection
It will be something like this,
and your site is prone to cross site scripting.
- Never Construct and send Error messages via request parameters.
- Prefer Using Messages predefined in a property file.
- Avoid passing HTML content via from request parameters.
- In case of a need to pass any HTML content do encoding/filtering before rendering as HTML
- Pass Internal message keys to get predefined message values or some unique ids to identify the content to be displayed
- How to align content of a div to the bottom using CSS ?
- How Content Writing at GeeksforGeeks works?
- Content Management Systems - An Overview
- Reading selected webpage content using Python Web Scraping
- Design Patterns : A Must Skill to have for Software Developers in 2019
- Advantages of cracking GATE from Indian Perspective
- How Did Facebook Remove 2.2 Billion Fake Accounts in the First Quarter of 2019?
- 5 Must Have Tools For Web Application Penetration Testing
- 7 Tips and Tricks to Learn Programming Faster
- 5 Women Programmers Who Changed The World!
- Why Serverless Apps?
- IoT- Recreating Healthcare
- Last Minute Notes Computer Organization
- Display Processor in Computer Graphics
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.