Spoofing
Description
It is possible to perform actions in the application and make it look as if they were performed by the system or another user. Examples include sending messages that appear to come from the system and modifying data in the name of other users (who may have more privileges).
Impact
Impersonate the application to increase the chances of a successful phishing or social engineering attack.
Recommendation
Avoid the usage of custom system messages that can be tampered by an user.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⏱️ 45 minutes.
Requirements
035 - Manage privilege modifications096 - Set user's required privileges173 - Discard unsafe inputs176 - Restrict system objects265 - Restrict access to critical processes320 - Avoid client-side control enforcementFixes