1

The title says it all. I understand how to exploit XSS via MIME sniffing, but the question is, do you call this type of XSS stored or reflected?

OWASP says

Stored attacks are those where the injected script is permanently stored on the target servers.. The victim then retrieves the malicious script from the server when it requests the stored information

While, reflected attacks usually require some user interaction, like clicking a malicious link for example.

It's a little confusing to me on what type of XSS this would come under. I could modify my file to have some javascript at the beginning, have the browser interpret it as a JS file and execute. Does this make it a stored XSS?

Anders
  • 64,406
  • 24
  • 178
  • 215
Izy-
  • 853
  • 1
  • 8
  • 17
  • 2
    I think one can construct both reflected and stored XSS utilizing MIME sniffing. The main point of reflected XSS is that something from in the request is reflected into the response and executed as script. If this is not happening in your specific (but unknown) example then it cannot be reflected XSS. – Steffen Ullrich Sep 25 '18 at 04:52
  • 1
    I think that reflected XSS would work with malicious URL only, i.e. if you simply remove some unnecessary part of url (or request), it would not take place. Whereas in stored XSS, data is stored on server, and can affect everyone who visits affected pages, even from new session, using different url. So think if the request is modified such that same resource is fetched in the end, will attack happen? If yes, then it's stored, else reflected. – njras Sep 25 '18 at 07:40
  • js files aren't executed by the browser and scripts can be loaded as any content-type. – dandavis Sep 25 '18 at 15:53

1 Answers1

2

XSS attacks using MIME sniffing could be both stored and reflected. Anything where the browser is tricked into believing that a file with one MIME type should actyally be interpreted as something else could be called a MIME sniffing attack. If the piece of evil data that tricks the browser comes from the URL, we would call it reflected. If it is stored on the server, we would call it stored.

In practice though, I would expect most (almost all) MIME sniffing attacks to be stored. The traditional way of doing it is that you exploit a file upload functionality that e.g. only accepts images by uploading a file containing JavaScript code in the hope that browser will ignore the image MIME type and go with a script one instead. This line of attack clearly relies on the payload being stored on the server, so it would be stored XSS.

Anders
  • 64,406
  • 24
  • 178
  • 215