CAPEC-148: Content Spoofing

Description

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

Extended Description

Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to "share this site with a friend" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character.

Severity :

Medium

Possibility :

Medium

Type :

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-33: HTTP Request Smuggling HTTP Request Smuggling CAPEC-34: HTTP Response Splitting HTTP Response Splitting CAPEC-105: HTTP Request Splitting HTTP Request Splitting CAPEC-145: Checksum Spoofing Checksum Spoofing CAPEC-218: Spoofing of UDDI/ebXML Messages Spoofing of UDDI/ebXML Messages CAPEC-273: HTTP Response Smuggling HTTP Response Smuggling CAPEC-502: Intent Spoof Intent Spoof CAPEC-627: Counterfeit GPS Signals Counterfeit GPS Signals CAPEC-665: Exploitation of Thunderbolt Protection Flaws Exploitation of Thunderbolt Protection Flaws CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB) Key Negotiation of Bluetooth Attack (KNOB) CAPEC-701: Browser in the Middle (BiTM) Browser in the Middle (BiTM)

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Defacement WASC | Content Spoofing OWASP Attacks | Content Spoofing

Resources required

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-345: Insufficient Verification of Data Authenticity

Visit http://capec.mitre.org/ for more details.