Web Security 08 — Sniff
1. Intro — What is MIME Type
A Multipurpose Internet Mail Extensions (MIME) type is a standard that indicates the nature and format of a document, file, or assortment of bytes.
Browsers use the MIME type, not the file extension, to determine how to process a URL. So it’s important that web servers send the correct MIME type in the response’s Content-Type header. If this header is not correctly configured, browsers are likely to misinterpret the contents of files and sites will not work correctly, and downloaded files may be mishandled.
General Types ( MDN ):
- applicationList (
application/octet-stream,application/pdf,application/pkcs8, andapplication/zip) - audio (
audio/mpeg,audio/vorbis) - font (
font/woff,font/ttf, andfont/otf) - image (
image/jpeg,image/png,image/gif, andimage/svg+xml) - model (
model/3mfandmodel/vml) - text (
text/html,text/plain,text/html,text/javascript,text/css) - video (
video/mp4)
- Web Security 01 — Prepare
- Web Security 02 — Referrer
- Web Security 03 — X Powered By / Server
- Web Security 05 — X-Frame-Options
- Web Security 06 — CSP (Content Security Policy)
- Web Security 07 — XSS Protection
- Web Security 08 — Sniff
- Web Security 10 — CSRF
- Web Security 11 — CORS
- Web Security 12 — SQL Injection
2. What’s MIME sniffing
In the absence of a MIME type, or in certain cases where browsers believe they are incorrect, browsers may perform MIME sniffing — guessing the correct MIME type by looking at the bytes of the resource.
Each browser performs MIME sniffing differently and under different circumstances. (For example, Safari will look at the file extension in the URL if the sent MIME type is unsuitable.) There are security concerns as some MIME types represent executable content. Servers can prevent MIME sniffing by sending the X-Content-Type-Options header.
3. Sample
Though we haven’t set any special content type, it seems that our blog system works correct. Let’s see what’s the default type of files in our blog system:
Since our system is a blog system, users may
- upload their own files
- write the blog in HTML format
We can implement some pre-check in file formats. But malicious users can change file extensions. Now let’s assume that a malicious user write a blog ( viewBlog.html ) and refer to a text file in a script tag.
InuserImage.txt , some bad scripts are embedded.
And run our system:
npm i
npm startLet’s visit our blogView.html page. It seems that the txt plain file has been executed!
Under this condition, malicious users imported their scripts, and XSS (Persisted XSS) attacks could happen.
4. How to fix
- Stop browser performing MIME sniffing
- Send the correct MIME Type
Now let’s build a safe website indexSafe.js :
And run our system:
npm run-script startSafe
The plain txt file won’t be executed any more.
What is this place? Nanjing City Wall, Nanjing, Jiangsu, China
