Content Spoofing

Content Spoofing (also known as Content Injection) is one of the common web security vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loopholes in the website to inject the content that he/she wishes to the target website. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

There are two basic kinds of injection possible here:

Text Injection:

Text Injection is a subcategory in which the user will be able to inject only plain text into the page. In other words, it is not possible to inject executable JavaScript content, shell commands or HTML content. The user in majority of the cases might just be able to change some of the text content that is already on the website.

Injecting text content

In some cases, the actual content that is to be displayed on the UI, is passed via request parameters. For example a simple login form will pass the request as given below,

https://www.testsite.com/loginAction?userName=test123&password=test123/

You may have a client-side validation to check if username and/or password is empty or not of the expected form and based on that you may display a message in the UI, that these fields cannot be empty. The problem happens when this message is appended as a request parameter like this,

https://www.testsite.com/loginAction?errorMsg=PasswordEmpty

Once the user sees this the request, he may modify the message as he/she wishes to and that will be displayed on the screen. This type of injection can be done on any part of the site if a message is passed via request parameters. Greater the visibility of the injected text, higher the chance of the site getting affected when someone uses the loophole.

The site might be a credible website and the user might add offensive content and spread the link and to the victim, it looks like the site owner has posted offensive content.

HTML Injection:

HTML injection is similar to text injection and as the name suggests it allows HTML content to be injected. This is a relatively severe class of Content spoofing vulnerability as it is possible to make offensive content more visible with HTML more than using plain text.

Injecting HTML content
Some sites do pass HTML Content too in request parameters. For example in pop ups or site banners, sites do pass the actual HTML content in parameters and make it sit inside a div tag like,

https://www.testsite.com/setAdContent?divMessage=<h1>ClickHere</h1>

And the value of the parameter divMessage is made to site inside a div and rendered as HTML without filtering. This is a serious vulnerability and it is obvious if exploited, it could bring down the credibility of the site to a greater extent.

It is possible to modify it as,

https://www.testsite.com/setAdContent?divMessage=<marquee><h1>Don't Use this site</h1><marquee>

and your own site will have a scrolling message saying not to use it.

XSS Via HTML Injection
This could be even more serious when the message from parameters is directly rendered without any encoding/filtering. In that case, it leads to even more serious vulnerability of XSS aka Cross-site scripting where the user might be able to inject executable JavaScript which compromises the security of the website completely.

It will be something like this,

https://www.testsite.com/setAdContent?divMessage=<body onload=javascript:alert(1)>>

and your site is prone to cross site scripting.
 

Safety Measures:

• Never Construct and send Error messages via request parameters.
• Prefer Using Messages predefined in a property file.
• Avoid passing HTML content via from request parameters.
• In case of a need to pass any HTML content do encoding/filtering before rendering as HTML
• Pass Internal message keys to get predefined message values or some unique ids to identify the content to be displayed