Firefox hardens protection against MIME confusion attacks

Mozilla Firebox browser seems to have developed a tough stance against the MIME Confusion attacks and as a result, has greatly improvised its MIME sniffing ways. Usually, the web browser detects the format of the file without referring to the metadata sent by the web server.

New logo of Firefox

MIME confusion attacks

Now, if the web server sends Content-Type of “image/jpg” Firefox will override the file type part and automatically execute it as an image file. This method is referred to as “MIME sniffing” colloquially. This method also compensates in the case of complete absence of metadata. While the MIME sniffing is actually used to optimize the users experience it also throws open an attack vector called MIME confusion attack.

Consider a web application that allows users to upload image files but only checks for the valid file extension. Well, in this case, it is relatively easy to bypass the MIME by renaming another type of files to jpeg or any other valid image file extension. The lack of verification will prove to be an avenue for the attacker to package the malicious script and pass it on as an image. The browser then detects the actual content type of the file and thus runs the HTML script allowing a cross-site scripting attack (XSS) or even some of the files can also be made to satisfy two content types, for example, a GIF file is made to pass as a valid image file and also valid javascript.

Beginning from Firefox 50, Firefox will reject stylesheets completely if their images or scripts do not match the MIME types, thus eventually evading the MIME confusion attacks. In such cases, the server sends the response header “X-Content-Type-Options:nosniff”.” The message will be displayed as shown in the screenshot below. Also, we have mentioned the valid content types,

mozilla_mime

– “text/css”

Valid Content-Types for images:
– have to start with “image/”

Valid Content-Types for Scripts:
– “application/javascript”
– “application/x-javascript”
– “application/ecmascript”
– “application/json”
– “text/ecmascript”
– “text/javascript”
– “text/json”

The bottom line is that browsers like Mozilla Firefox are working towards ensuring a more secure web devoid of malware’s and attacks. MIME confusion attacks have been one of the simpler forms of attacks and by clocking the same Firefox has further strengthened its commitment towards internet security.

Source: Mozilla.

Posted by with Tags
Mahit Huilgol has been using Windows on Mobile since the Windows 6. Ever since than i have been following Microsoft developments from close quarters and love writing about it. Eagerly waiting for the time when Windows Phone will be the most preferred OS in the World.