This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
OWASP Periodic Table of Vulnerabilities - Content Spoofing
Return to Periodic Table Working View
Content Spoofing
Root Cause Summary
The application displays user-defined content in the URL or page body in a way that makes it appear to be legitimate site content.
Browser / Standards Solution
Define a new 40X status code that can be used instead of the current strategy employed by many sites of using a 200 response code for missing content or a 30x redirect, which is handled in the following way:
- The URL bar is overwritten with the contents of the Location header, which is restricted to a URL from the same origin as the original request.
- The response body specified by the server is displayed. If not specified, the browser substitutes a generic 404 page.
Perimeter Solution
None
Generic Framework Solution
None
Custom Framework Solution
The framework must clearly segregate user-defined content from site-defined content.
Custom Code Solution
None
Discussion / Controversy
Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications.