Content Spoofing

Preventing Web Attacks with Apache Ryan C. Barnett 624 pages; $44.99 Addison-Wesley

Content spoofing is an attack technique used to trick a user into believing that certain content appearing on a Web site is legitimate and not from an external source.

Some Web pages are served using dynamically built HTML content sources. For example, the source location of a frame (frame src="http://foo.example/file.html) could be specified by a URL parameter value (http://foo.example/page?frame_src=http://foo.example/file.html). An attacker may be able to replace the frame_src parameter value with frame_src=http://attacker.example/spoof.html. When the resulting Web page is served, the browser location bar visibly remains under the userexpected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate content.

Specially crafted links can be sent to a user via e-mail, instant messages, left on bulletin board postings, or forced upon users by a cross-site scripting attack. If an attacker gets a user to visit a Web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not. Users will implicitly trust the spoofed content since the browser location bar displays http://foo.example, when in fact the underlying HTML frame is referencing http://attacker.example.

This attack exploits the trust relationship established between the user and the Web site. The technique has been used to create fake Web pages including login forms, defacements, false press releases, and so on.

Content Spoofing Example

Let's say a Web site uses dynamically created HTML frames for their press release Web pages. A user would visit a link such as http://foo.example/pr?pg=http://foo.example/pr/01012003.html. The resulting Web page HTML would be:
<HTML>
<FRAMESET COLS="100, *">
<FRAME NAME="pr_menu" SRC="menu.html">
<FRAME NAME="pr_content"
SRC="http://foo.example/pr/01012003.html>
</FRAMESET>
</HTML>

The Web application in the preceding example creates the HTML with a static menu and a dynamically generated FRAME SRC. The pr_content frame pulls its source from the URL parameter value of pg to display the requested press release content. But what if an attacker altered the normal URL to http://foo.example/pr?pg=http://attacker.example/spoofed_press_release.html? Without properly sanity checking the pg value, the resulting HTML would be:
<HTML>
<FRAMESET COLS="100, *">
<FRAME NAME="pr_menu" SRC="menu.html">
<FRAME NAME="pr_content" SRC="
http://attacker.example/spoofed_press_release.html"> </FRAMESET> </HTML>

More on Web attacks Download the rest of chapter 7 to learn how Apache can benefit your organization. Visit our resource center  to learn how to protect against application attacks.

To the end user, the attacker.example spoofed content appears authentic and delivered from a legitimate source.

Apache Countermeasures Against Content Spoofing

In order to properly validate the "pg" value shown in the preceding example, we can create an inverted Mod_Security filter to deny all URLs that are not referencing data from our own site. The following filter will accomplish this task:

SecFilterSelective Arg_pg "!^http://foo.example"

Read the rest of Chapter 7 from Preventing Web Attacks with Apache.

BROWSE BY TAG Application and Platform Security,   Web Security Tools and Best Practices,   Web Application Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks Application Attacks (Buffer Overflows, Cross-Site Scripting) PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anonymous Web surfing  (SearchSecurity.com) buffer overflow  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cookie poisoning  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary