An independent security researcher Maulik Kotak found content spoofing vulnerability on Constantcontact.com content spoofing is a hacking technique used to lure a user on to a website that looks legitimate, but is actually an elaborate copy.
Hackers can spoof content use dynamic HTML and frames to create a website with the expected URL and a similar appearance, and then prompts the user for personal information.
Content spoofing is also common with email alerts, account notifications and so on. Maulik have provided the video demonstration regarding this vulnerability.
https://ui.constantcontact.com/support/login.jsp?startURL=/support/index.jsp&error.message=Your%20username%20or%20password%20did%20not%20match%20our%20records.
This is content spoofing payload link:
https://ui.constantcontact.com/support/login.jsp?startURL=/support/index.jsp&error.message=Content%20Spoofing
These are the difference between Content Spoofing and XSS
Content spoofing is an attack that is closely related to cross site scripting (XSS). While XSS uses <script> and similar techniques to run JavaScript, content spoofing uses other techniques to modify the pages for malicious reasons.
Even if XSS mitigation techniques are used within the web application, such as proper output encoding, the application can still be vulnerable to text-based spoofing attacks.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment