Deutsche Version (DE_DE)
English version (EN_US)
Test Methods ( Detailed Overview )
Here is a list of every test performed by Web Scan Service.
Frame SpoofingRemediation Task
Validate users inputWASC ClassificationClient-side Attacks: Content SpoofingAffected ProductsThis issue may affect different types of productsTechnical Description
Technical Description
A Frame Spoofing or a Content Spoofing is an attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source.
Some web pages are served using dynamically built HTML content sources. For example, the source location of a frame () could be specified by a URL parameter value. (http://foo.example/page?frame_src=http://foo.examp le/file.html).
An attacker may be able to replace the “frame_src” parameter value with “frame_src=http://attacker.example/spoof.html”. When the resulting web page is served, the browser location bar visibly remains under the user expected domain (foo.example), but the foreign data (attacker.example) is shrouded by legitimate content. Specially crafted links can be sent to a user via e-mail, instantmessages, left on bulletin board postings, or forced upon users by a Cross-site Scripting attack. If an attacker gets a user to visit a web page designated by their malicious URL, the user will believe he is viewing authentic content from one location when he is not.
Users will implicitly trust the spoofed content since the browser location bar displays http://foo.example, when in fact the underlying HTML frame is referencing http://attacker.example. This attack exploits the trust relationship established between the user and the web site. The technique has been used to create fake web pages including login forms, defacements, false press releases,etc.
