Contributors
Robert Auger
Ryan Barnett
Yuval Ben-Itzhak
Erik Caso
Cesar Currudo
Sacha Faust
JD Glaser
Jeremiah Grossman
Sverre H. Huseby
Amit Klein
Mitja Kolsek
Aaron C. Newman
Steve Orrin
Bill Pennington
Ray Pompon
Mike Shema
Ory Segal
Caleb Sima
|
|
 |
|
Content Spoofing
Content Spoofing is an attack technique used to trick a user into
believing that certain content appearing on a web site is legitimate
and not from an external source. Some web pages are served using dynamically built HTML content
sources. For example, the source location of a frame <![CDATA[<frame src="http://foo.example/file.html">]]> could be specified
by a URL parameter value.
(http://foo.example/page?frame_src=http://foo.example/file.html). An attacker may be able to replace the "frame_src" parameter value with "frame_src=http://attacker.example/spoof.html". When the resulting web page is served, the browser location bar visibly remains under the user expected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate
content.
Specially crafted links can be sent to a user via e-mail, instant
messages, left on bulletin board postings, or forced upon users by a
Cross-site Scripting attack. If an attacker gets a user to visit a web
page designated by their malicious URL, the user will believe he is
viewing authentic content from one location when he is not. Users will
implicitly trust the spoofed content since the browser location bar
displays http://foo.example, when in fact the underlying HTML
frame is referencing http://attacker.example.
This attack exploits the trust relationship established between the
user and the web site. The technique has been used to create fake
web pages including login forms, defacements, false press releases,
etc.
Example
Creating a spoofed press release. Lets say a web site uses
dynamically created HTML frames for their press release web pages.
A user would visit a link such as: (http://foo.example/pr?pg=http://foo.example/pr/01012003.html).
The resulting web page HTML would be:
<![CDATA[
Code Snippet:
<HTML>
<FRAMESET COLS="100, *">
<FRAME NAME="pr_menu" SRC="menu.html">
<FRAME NAME="pr_content" SRC="http://foo.example/pr/01012003.html">
</FRAMESET>
</HTML>
]]>
The "pr" web application in the example above creates the HTML
with a static menu and a dynamically generated FRAME SRC. The
"pr_content" frame pulls its source from the URL parameter value
of "pg" to display the requested press release content. But what if an
attacker altered the normal URL to:
http://foo.example/pr?pg=http://attacker.example/spoofed_press_release.html?
Without properly sanity checking the "pg" value, the resulting HTML would be:
<![CDATA[
Code Snippet:
<HTML>
<FRAMESET COLS="100, *">
<FRAME NAME="pr_menu" SRC="menu.html">
<FRAME NAME="pr_content" SRC="
http://attacker.example/spoofed_press_release.html">
</FRAMESET>
</HTML>
]]>
To the end user, the "attacker.example" spoofed content appears
authentic and delivered from a legitimate source.
References
"A new spoof: all frames-based sites are vulnerable" - SecureXpert
Labs
http://tbtf.com/archive/11-17-98.html#s02
|
|
