‘Content spoofing’ a major website vulnerability, study finds

Content spoofing is a way to get a website to display content from the attacker

A close look at vulnerabilities in about 15,000 websites found 86 per cent had at least one serious hole that hackers could exploit, and content spoofing was the most prevalent vulnerability, identified in over half of the sites, according to WhiteHat Securitys annual study published today.

Content spoofing is a way to get a website to display content from the attacker, says Jeremiah Grossman, CTO at WhiteHat, an IT security vendor. A criminal might do this to steal sensitive customer information or simply to embarrass the owners of a website. In any event, in content spoofing the fake content is not actually on the website as it would be in a web defacement, but simply appears to be there, Grossman points out.

The Open Web Application Security Project (OWASP) group says content spoofing is also sometimes referred to as content injection or virtual defacement, and its an attack made possible by an injection vulnerability in a web application that does not properly handle user-supplied data.

[SECURITY SCOOP: Phishing tactics and how hackers get away with it]

The content spoofing attack can supply content to a web application that is reflected back to the user, whos presented with a modified page under the context of the trusted domain, according to OWASP.  Its said to be similar to a cross-site scripting attack but uses other techniques to modify the page for malicious reasons.

The annual WhiteHat Website Security Statistics Report examined vulnerabilities found over the course of 2012 in the 15,000 websites of 650 companies and government agencies for which it provides web application vulnerability assessments. These range from financial, manufacturing, technology, entertainment, energy to media, and government.

The top 15 vulnerability classes for websites are said to be cross-site scripting; information leakage; content spoofing; cross-site request forgery; brute force; insufficient transport layer protection; insufficient authorization; SQL injection; session fixation; fingerprinting; URL redirector abuse; directory indexing; abuse of functionality; predictable resource location; and HTTP response splitting.Grossman says there were a few unexpected findings related to how quickly organizations fixed vulnerabilities when taking into account how much theyd invested in application security training for their programmers.

Emphasis on training was correlated with 40% fewer website vulnerabilities and a 59% faster rate of resolving them than in organizations that didnt do training. But the actual remediation rate to close all the holes related to the vulnerabilities was 12% less than in organizations without training. Grossman says WhiteHats analysis indicates that the poorest rates of remediation overall are associated with organizations where their regulatory compliance requirements are the No.1 driver for resolving vulnerabilities. If the vulnerability wasnt tied to compliance, it was ignored.

When organizations website vulnerabilities go unresolved, compliance was cited as the #1 reason, closely followed by risk reduction, according to the WhiteHat study. The study also found the best remediation rates occurred when customers or partners demanded it.

Other findings in the website 2012 vulnerability study show:

  • 85% of organizations use some variety of application security testing in pre-production website environments
  • 55% have a Web Application Firewall in some state of deployment
  • In the event of of a website data or system breach, 79% said the Security Department would be accountable.
  •  23% experienced a data or system breach as a result of an application-layer vulnerability.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityWhiteHat SecurityWide Area Network

More about IDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place