What is MIME Sniffing? How to Protect Your Website from MIME "Guessing" Attacks

Daily short news for you

Since the Lunar New Year holiday has started, I won't be posting anymore. See you all after the holiday! 😁

» Read more
Continuing about jj. I'm wondering if there are any GUI software made for it yet to make it easier to use. There are already so many similar to git that I can't count them all.

Luckily, the author has compiled them all together in Community-built tools around Jujutsu 🥳

» Read more
Turso announces that they are rewriting SQLite in Rust. This adds another piece of evidence supporting the notion that Rust is "redefining" many things.

But the deeper reason is more interesting. Why are they doing this? Everyone knows that SQLite is open source, and anyone can create a fork to modify it as they wish. Does the Turso team dislike or distrust C—the language used to build SQLite?

Let me share a bit of a story. Turso is a provider of database server services based on SQLite; they have made some customizations to a fork of SQLite to serve their purposes, calling it libSQL. They are "generous" in allowing the community to contribute freely.

Returning to the point that SQLite is open source but not open contribution. There is only a small group of people behind the maintenance of this source code, and they do not accept pull requests from others. This means that any changes or features are created solely by this group. It seems that SQLite is very popular, but the community cannot do what they want, which is to contribute to its development.

We know that most open source applications usually come with a "tests" directory that contains very strict tests. This makes collaboration in development much easier. If you want to modify or add a new feature, you first need to ensure that the changes pass all the tests. Many reports suggest that SQLite does not publicly share this testing suite. This inadvertently makes it difficult for those who want to modify the source code, as they are uncertain whether their new implementation is compatible with the existing features.

tursodatabase/limbo is the project rewriting SQLite in Rust mentioned at the beginning of this article. They claim that it is fully compatible with SQLite and completely open source. Limbo is currently in the final stages of development. Let’s wait and see what the results will be in the future. For a detailed article, visit Introducing Limbo: A complete rewrite of SQLite in Rust.

» Read more

The Issue

As you may already know, alongside securing your website on the server side to ensure that no one can access it and perform unauthorized actions, client-side security is also crucial. Popular web browsers are constantly being updated with security patches and additional technical specifications to enhance their security. Every user wants a browser that offers maximum protection.

MIME types are one of the specifications that indicate the nature and format of a document, file, or byte classification. Here's a simple example to help you understand: if an API endpoint returns a response with the Content-Type: application/json attribute in the headers, the client immediately knows that the returned data is in JSON format and can handle it accordingly, instead of having to "guess" whether the data is text, image, or video.

If there is no Content-Type or in some browsers, they don't "like" to check the Content-Type, they will perform a "guessing" process to determine the format of the returned data. This inadvertently creates an attack called "MIME Sniffing."

What is MIME Sniffing?

MIME Sniffing is a technique used by some web browsers (mainly Internet Explorer) to check the content of a specific resource. This is done to determine the file format of the response content. This technique is useful in cases where there is not enough information, such as the Content-Type, for a specific content, thereby allowing the browser to interpret the content inaccurately.

Although MIME sniffing can be useful for determining the exact file format of the content, it can also pose security vulnerabilities. These vulnerabilities can be dangerous for both the website owner and the visitors. This is because an attacker can exploit the "guessing" capability of MIME sniffing to perform a Cross-Site Scripting (XSS) attack.

The process of MIME Sniffing is quite simple and involves the following main steps:

The web browser requests a specific content response that either lacks a content type or has a previously set content type at the origin server.
The web browser "sniffs" the content to analyze the specific file format of the content.
Once the browser has completed the analysis, it compares what it found with what the web server provides in the Content-Type header (if present). If there is a mismatch, the browser will use the MIME type it determines to be associated with the content.

Let's say your website allows users to upload files to the server, and you only accept a specific image format like JPG. A clever attacker may change the file extension of an HTML file to .jpg and upload the file. When the browser performs MIME sniffing while trying to display the image, there is a high chance that the HTML code will be executed in the browser.

How to Prevent Browser MIME Sniffing

Most modern browsers respect this header, including Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50, and Safari >= 11.

To set this up, you simply need to include X-Content-Type-Options: nosniff in the HTTP response headers of your server.

For example, if you are using Nginx as the server:

server {
    listen 443 ssl;

    ...  

    add_header X-Content-Type-Options nosniff;
    ...

Summary

Although this security mechanism may now be a default setting or a "must-have" configuration of web servers, I hope this article provides readers with a deeper understanding of the importance of technical specifications and potential exploitable behaviors that can be used for malicious purposes at any time.

Premium

The secret stack of Blog

As a developer, are you curious about the technology secrets or the technical debts of this blog? All secrets will be revealed in the article below. What are you waiting for, click now!

View all