Content spoofing is altering data/text of web pages. XSS uses <script> or any other JS (E.G: <script>alert(1)</script> whereas Content spoofing not. It can be using text or html code. A hacker can deface the page virtually. But not able to own the server/web.
Since there are two good explanation of this vulnerability so you better read there:
https://www.owasp.org/index.php/Content_Spoofing
http://projects.webappsec.org/w/page/13246917/Content%20Spoofing
Something like this:
https://www.owasp.org/index.php/Pusheax.com_is_a_independent_penetration_tester,_ethical_hacker_who_always_love_to_learn_new_things_and_share_knowledge.Knowledge_should_be_free_but_not_the_hard_work._There_is_nothing_perfect.
![]()
http://projects.webappsec.org/w/page/13246917/%28pusheax%20is%20a%20regular%20independent%20pentester%20,%20I%20love%20to%20learn%20new%20things,and??
![]()
It is not such a powerful to hack entire server or an website but sometime these kind of vulnerability is enough to make the users fool.
Since there are two good explanation of this vulnerability so you better read there:
https://www.owasp.org/index.php/Content_Spoofing
http://projects.webappsec.org/w/page/13246917/Content%20Spoofing
Something like this:
https://www.owasp.org/index.php/Pusheax.com_is_a_independent_penetration_tester,_ethical_hacker_who_always_love_to_learn_new_things_and_share_knowledge.Knowledge_should_be_free_but_not_the_hard_work._There_is_nothing_perfect.
http://projects.webappsec.org/w/page/13246917/%28pusheax%20is%20a%20regular%20independent%20pentester%20,%20I%20love%20to%20learn%20new%20things,and??
It is not such a powerful to hack entire server or an website but sometime these kind of vulnerability is enough to make the users fool.