Content Spoofing (also known as Content Injection) is one of the common web security vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loopholes in the website to inject the content that he/she wishes to the target website. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.
There are two basic kinds of injection possible here:
- Text Injection
- HTML Injection
Injecting text content
In some cases, the actual content that is to be displayed on the UI, is passed via request parameters. For example a simple login form will pass the request as given below,
You may have a client-side validation to check if username and/or password is empty or not of the expected form and based on that you may display a message in the UI, that these fields cannot be empty. The problem happens when this message is appended as a request parameter like this,
Once the user sees this the request, he may modify the message as he/she wishes to and that will be displayed on the screen. This type of injection can be done on any part of the site if a message is passed via request parameters. Greater the visibility of the injected text, higher the chance of the site getting affected when someone uses the loophole.
The site might be a credible website and the user might add offensive content and spread the link and to the victim, it looks like the site owner has posted offensive content.
HTML injection is similar to text injection and as the name suggests it allows HTML content to be injected. This is a relatively severe class of Content spoofing vulnerability as it is possible to make offensive content more visible with HTML more than using plain text.
Injecting HTML content
Some sites do pass HTML Content too in request parameters. For example in pop ups or site banners, sites do pass the actual HTML content in parameters and make it sit inside a
div tag like,
And the value of the parameter divMessage is made to site inside a div and rendered as HTML without filtering. This is a serious vulnerability and it is obvious if exploited, it could bring down the credibility of the site to a greater extent.
It is possible to modify it as,
https://www.testsite.com/setAdContent?divMessage=<marquee><h1>Don't Use this site</h1><marquee>
and your own site will have a scrolling message saying not to use it.
XSS Via HTML Injection
It will be something like this,
and your site is prone to cross site scripting.
- Never Construct and send Error messages via request parameters.
- Prefer Using Messages predefined in a property file.
- Avoid passing HTML content via from request parameters.
- In case of a need to pass any HTML content do encoding/filtering before rendering as HTML
- Pass Internal message keys to get predefined message values or some unique ids to identify the content to be displayed
- How to align content of a div to the bottom using CSS ?
- Content Management Systems - An Overview
- How Content Writing at GeeksforGeeks works?
- Reading selected webpage content using Python Web Scraping
- 7 Common Programming Principles That Every Developer Must Follow
- SOLID Principle in Programming: Understand With Real Life Examples
- Best Books to Learn Back-End Web Development
- Evolution of Foldable Smartphones
- How to wait for a promise to finish before returning the variable of a function?
- How to see the extensions loaded by PHP ?
- What is the difference between single-quoted and double-quoted strings in PHP?
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to firstname.lastname@example.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.