[WEB SECURITY] Content Spoofing attacks

MustLive mustlive at websecurity.com.ua
Thu Nov 15 16:55:37 EST 2012


Hello participants of Mailing List.

In January 2010 I've wrote the first article and in October 2012 I've wrote
the second article on Content Spoofing topic.

I'll tell you briefly about my articles concerning Content Spoofing
vulnerabilities and attacks on them. First one it's my 2010 article and
second one it's my new article, which I've wrote in the end of October.
These topics should be interesting for you (especially for those, who
haven't read them before).

1. Content Spoofing attacks: Link Injection and Text Injection.
http://websecurity.com.ua/3893/

In this article I've told about such variations of CS attacks as Link
Injection and Text Injection. These attacks are possible as at injection to
html pages, as to flash files and captchas. For Link Injection the examples
are shown on web sites of IBM and UBN and on WP-Cumulus (about 34 million
flash files with XSS and Link Injection in WP-Cumulus and its forks I've
wrote in corresponding articles in the end of 2009 and the beginning of
2010). For Text Injection the examples are shown on web sites of GoDaddy,
UBN and one online shop.

2. Content Spoofing attacks: Content Injection and Site Injection.
http://websecurity.com.ua/6127/

In this article, which is continuation of previous, I've told about Advanced
Content Spoofing. If in previous article I wrote about simple attacks, then
in this article I wrote about advanced CS attacks. Which allow full spoofing
of content. I've told about such variations of CS attacks as Content
Injection and Site Injection. All examples are shown concerning attacks on
flash applications. For Content Injection the examples are shown on FLV
Player, flvPlayer, JW Player and JW Player Pro (and there are thousands
million of flash files of all these players in Internet). For Site Injection
the examples are shown on one Ukrainian web site (UBN) and one Singaporean
flash site.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 





More information about the websecurity mailing list