This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Periodic Table of Vulnerabilities - Content Spoofing

Revision as of 23:46, 15 November 2013 by James Landis (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Return to Periodic Table Working View

Content Spoofing

Root Cause Summary

The application displays user-defined content in the URL or page body in a way that makes it appear to be legitimate site content.

Browser / Standards Solution

Define a new 40X status code that can be used instead of the current strategy employed by many sites of using a 200 response code for missing content or a 30x redirect, which is handled in the following way:

  • The URL bar is overwritten with the contents of the Location header, which is restricted to a URL from the same origin as the original request.
  • The response body specified by the server is displayed. If not specified, the browser substitutes a generic 404 page.

Perimeter Solution


Generic Framework Solution


Custom Framework Solution

The framework must clearly segregate user-defined content from site-defined content.

Custom Code Solution


Discussion / Controversy

Some argue that the information leakage risk of replying with 404 for missing content vs. 200 for actual content is significant. Replying with 200 for everything may have SEO implications. URL Content spoofing risk may not be clearly defined enough to show need for standards-based solution.


Content Spoofing
Content Spoofing (WASC)