6

Assume that it is possible to host arbitrary files on goodguys.com, which are delivered with an attacker-controlled MIME type and X-Content-Type-Options=nosniff. Which MIME types allow for XSS when used as src of an iframe, target of a link or in other ways in reasonably modern browsers? I know of at least text/html and image/svg+xml, but are there others?

Edit: I want to stress that a blacklist approach based on MIME types is not a good idea. The motivation for the question is that I could use interesting answers as convincing arguments in favor of MIME whitelists.

Fabian Meumertzheim
  • 193
  • 1
  • 5
  • off the top of my head: xhtml, hta, xml+xslt, swf, and pdf (sometimes). – dandavis Aug 20 '17 at 10:44
  • That's an interesting question, but you won't get a comprehensive list covering all major browsers. If you're planning a real-life implementation, you should go with a whitelist of harmless content types instead of blacklisting dangerous ones. – Arminius Aug 20 '17 at 15:51
  • @Arminius: Thanks for pointing this out, the approach described in my question is certainly not advisable. I have edited the question to clarify why I'm asking it. – Fabian Meumertzheim Aug 20 '17 at 16:10

1 Answers1

2

You won't be able to assemble a comprehensive list of dangerous MIME types.

While it's straightforward to block text/html, text/xml, image/svg+xml, etc., there are many obscure legacy or vendor-specific MIME types that aren't widely known and might work in some browsers. E.g., the MIME type application/vnd.wap.xhtml+xml is understood as XML in Firefox while it won't trigger in Chrome at all. Proof of concept:

data:application/vnd.wap.xhtml+xml,<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(1)</x:script>

Also, there are MIME types that don't immediately lead to XSS but have side effects. E.g., an attacker might want to trick a user into installing a Firefox plugin by supplying content with a application/x-xpinstall MIME type. (This attack will have some additional hurdles, but you get the idea.)

Finally, third-party vendors might also register their own custom MIME types (think Flash applets with application/x-shockwave-flash, JAVA applets, embedded media players, etc.) some of which have the ability to execute script code. It will be hard to keep track of these on your blacklist.

In conclusion - if you're planning a real-life implementation, you should whitelist harmless MIME types instead of blacklisting dangerous ones.

Arminius
  • 43,922
  • 13
  • 140
  • 136