- Trending Categories
Data Structure
Networking
RDBMS
Operating System
Java
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
Content Spoofing
Content Spoofing is the term used to define the type of attack by malicious programmers in which they present a fake website as a legitimate one to the user by text injection or html injection. When a web application does not properly handle the data supplied by the user using search etc. then the attacker can take advantage of such a situation and inject additional parameters that go unnoticed by the user. This leads to landing on another web page that looks the same as the original webpage. That page can ask the user to input information which is confidential and lead to serious harm if released.
Two basic types of injections are
- Html Injection
- Text Injection
Html Injection
- The attacker finds the vulnerable web application.
- The attacker sends the modified URL to the user by any means, usually via email. This URL has text injected.
- By clicking on the URL user is navigated to the attackers webpage, looks like legitimate one.
- User asked the information like username, password, card pins etc.
- This information gets transferred to the attackers server.
Example
Some sites pass the html content too in the urls as parameters, usually inside a div tag.This causes a great vulnerability.
www.testing.com/siteAdcontent?divMessage=<h1>Click Here!!</h1> It is possible to modify it as −
www.testing.com/siteAdcontent?divMessage=<hack><h1>Do not Click!!</h1><hack>
Text Injection
- The attacker finds the vulnerable web application.
- The attacker modifies the values of the parameters passed in the URL.
- The malformed page request link is sent to the attackers server.
- A valid web page now shows the false information according to the parameters.
- Happens when the message is passed via request parameters.
Example
www.testing.com/loginAction?userName=abc&password=123 Can be appended as
www.testing.com/loginAction?errorMessage=PasswordEmpty This new url can take users to a page which displays false content and may offend the user.
- Related Questions & Answers
- What is Email Spoofing?
- What is GPS spoofing?
- Difference between Spoofing and Phishing
- Difference Between Phishing and Spoofing
- What is Spoofing and what are its types?
- What is DNS Cache Poisoning aka DNS Spoofing?
- What is IP Spoofing? (Process and How to Prevent)
- What is Phone Number Spoofing and How to Stop It?
- CSS justify-content
- HTML content Attribute
- CSS content-box Value
- CSS align-content property
- Show content with Bootstrap
- Hide content with Bootstrap
- What are Anti-Spoofing Techniques? How are They Used to Stop DDoS Attacks?