MIME Sniffing Explained: How Browsers Can Misinterpret Content Types

I was learning basics of Web app Pentesting and came across this topic known as MIME-type Sniffing which is a technique done by web browsers which could lead to serious security concerns. So in this article I’m trying to explain What this is?, How they are Exploited? and how a developer secure this feature.

So Before learning about MIME-type Sniffing, we need to first understand what is a MIME and what is the use of a Content-type header in the HTTP Response. So lets start with that first,

MIME stands for Multipurpose Internet Mail Extensions. In simple terms, MIME is a standard which allows different types and formats of data like text, image, videos, audio, documents etc, to be sent and received over the internet.
These different types of data formats, are known as MIME types or media types.
Structure of a MIME type,

type/subtype

Examples include text/plain for plain text, image/jpeg for JPEG images, audio/mp3 for MP3 audio files, and video/mp4 for MP4 video files.

Basically Content-type is an HTTP response header set by the server which tells the browser what content does it hold thus indicating the browser about how to interpret it.
So lets explain its use with an example,

Imagine you are making an HTTP request to a server to download an image, the server sets a Content-type header field in the HTTP response body, which in our case will be:

Content-type: image/jpeg

Now when the Browser receives the response, it looks at the Content-type header and knows that it is an Image and understands that it is supposed to preview it.
Similarly, if it gets an text/html, the browser tries to render it to the page and for a JavaScript file, it knows that it is supposed to execute the data in it.

Now imagine a scenario, where the developer fails to put up a Content-type header, or in some cases the browser believe they are incorrect, this is where MIME-type Sniffing comes into play.

In such cases, the Web browsers use a sniffing algorithm to analyze the content’s characteristics and determine its MIME type. This includes analysing the first few bytes of the content to look for patterns or signatures that indicate the type of content it holds.
For example, if the first few bytes of content, is like <html> <head> etc.. then the browser understands they are HTML tags and interpret the response as HTML.

This approach done by browsers to determine the MIME type is know as MIME Sniffing/ Content Sniffing.

If the MIME type specified in the Content-Type header matches the browser’s analysis, the browser trusts the provided MIME type.However, if the MIME type specified in the Content-Type header differs from the browser’s analysis, some browsers may override the provided MIME type and use the one they found form its analysis.
For example, if the Content-type header is text/plain which indicates plaintext and the browser finds HTML tags in the content, then the browser overrides and executes as HTML instead of plaintext.

Now imagine yourself as an attacker, and think what we can do to exploit this feature.
Hope you guessed it right!! Yeah you can mislead the browser and execute malicious code in the website.
Lets see with an example, how an attacker can exploit this feature leading to a XSS attack.

Crafting the Malicious File:The attacker creates a file (e.g., an HTML or JavaScript file) and saves it with a MIME type that looks safe, such as “text/plain”<!DOCTYPE html>
<html>
<head>
<title>Example</title>
</head>
<body>
<script> alert(‘XSS’)</script>
</body>
</html>
The file’s content is crafted to resemble the safe MIME type but actually it contains malicious JavaScript code, <script>alert(‘XSS’)</script>.

2. Sending this File to the Victim:

The attacker sends the crafted file to the victim, either as an email attachment, a file download link, or by embedding it within a web page.

3. MIME-type Sniffing by the Browser:

When the victim’s browser receives the file, it analyzes the file’s content to determine its MIME-type.Due to MIME-type sniffing, the browser may override the specified MIME-type “text/plain” and the browser interprets it as HTML or JavaScript content, despite the MIME-type specified in the Content-type header.

4. Execution of Malicious JavaScript:

As a result, the malicious JavaScript code (<script>alert(‘XSS’)</script>) is executed in the victim’s browser, leading to the display of an alert dialog box with the message “XSS”.

So the Mitigation strategies of this attack is fairly simple, all you have to do is to set this header in the server responses

X-Content-Type-Options: nosniff

This header actually tells the browser that: “Never attempt to sniff the content”. This prevents the browser from performing the MIME Sniffing feature thus mitigating this risk.