MIME and Media Type sniffing explained and the type of attacks it leads to

preview_player
Показать описание
Any content served through HTTP “should” include meta data about its type. This is so the browser/client knows what to do with the content it receives. For example, if the content type header is an image the browser will preview it, if it is HTML it will render the markup and execute any javascript code.

Content type however is optional and web masters sometimes don’t set it, which leave the browsers wondering about the content type it is consuming. So browsers had to implement parsing and “sniffing” techniques to detect the type of content when a content type header was not served.

However, this caused security problems and attacks that we explain in this video! So to prevent sniffing, web servers can return X-Content-Type-Options: nosniff which opts out browsers from sniffing the content.

Cheers!
Hussein Nasser
  1. Hussein Nasser
  2. mime sniffing
  3. content sniffing
  4. content sniffing attack
  5. Content-Type sniffing security
  6. X-Content-Type-Options: nosniff
Рекомендации по теме
MIME and Media 0:10:42

MIME and Media Type sniffing explained and the type of attacks it leads to

X Content Type 0:05:22

X Content Type Option Header, MIME and MIME sniffing

Section 1 Module 0:07:55

Section 1 Module 1 Part 9: Mime Types & Content Type Headers (7:54)

OSS Project: MIME 0:04:00

OSS Project: MIME Sniffing

MIME Sniffing Final 0:04:37

MIME Sniffing Final Project

Understanding MIME Sniffing 0:00:59

Understanding MIME Sniffing - Securing Your JS Files 🛡️👮🛡️ #javascript #security #hacker...

Understanding File Upload 0:05:59

Understanding File Upload vulnerabilities with MIME checking - Overthewire.org - Natas 13

Hanno Böck - 0:45:41

Hanno Böck - Don't Sniff the MIME - SecurityFest 2019

CSS : CSS 0:01:35

CSS : CSS file blocked: MIME type mismatch (X-Content-Type-Options: nosniff)

Get the MIME 0:00:52

Get the MIME Content Type #java #shorts

HTTP - MIME 0:02:01

HTTP - MIME and Content-Type p1.

Disable the MIME-type 1:47:34

Disable the MIME-type Sniffing Feature of Web Browsers 🛠 Maintenance Monday Live Stream #079

How to Disable 0:00:42

How to Disable MIME Sniffing in Internet Explorer 11

MIME-типы (типы медиа 0:10:33

MIME-типы (типы медиа данных)

How to Enable 0:00:51

How to Enable MIME Sniffing in server 2012

05 - Avoid 0:04:16

05 - Avoid Inferring the Response MIME Type with helmet.noSniff() - freeCodeCamp

Windows : What 0:01:00

Windows : What method for detecting image type is more reliable: content-type or MIME-sniffing?

How to Set 0:01:09

How to Set MIME Types for Specific File Extensions via .Htaccess in Website | PHP | HTML | WordPress

MIME TYPE SNIFFING 0:03:51

MIME TYPE SNIFFING TO REFLECTED XSS BUKALAPAK

What is MIME 0:00:57

What is MIME Type?

Detecting Insecure MIME 0:01:33

Detecting Insecure MIME Type Vulnerability Using the Mozilla Observatory

MIME File With 0:01:54

MIME File With Header

Gramex FileHandler MIME 0:05:41

Gramex FileHandler MIME Types

How to Fix 0:06:30

How to Fix Refused to apply style MIME type not supported Express JS Error

Комментарии
Автор

Hey thanks for the video!
So for example: An attacker uploads a malicious html file with a jpg extension, essentially targeting users with older browsers. These olders browsers like IE6 are vulnerable to this attack because they make use of content sniffing. Content sniffing is a browser feature that tries to guess a file's MIME type by reading it's content.

There's two problems now: First of all, the server has been a target of an attack and now hosts a malicious file. Second, users with old browsers become victims when they open the file.

In order to mitigate the situation, we as web developers can set the X-Content-Type-Options header on our responses so old browsers won't try to guess the mime type (solving only problem 2). Correct?

Only browsers honoring the X-Content-Type-Options header are safe. When was this header introduced? Was IE6 for example updated by Microsoft to honor this header?

So what I'm saying is that the suggested mitigating solution is only an attempt to solve this problem right? I'm trying to understand, as I'm researching some common alerts the OWASP ZAP tool gives me.

crown-is
Автор

wow someone actually knows how explain things finally

NS-yjfx
Автор

I felt a little confusion in your explanation (or maybe I didn't understand what you meant well enough).
You could have a "Content-Type" header and still notice MIME sniffing, we prevent that with the X-Content-Type-Options header (that you mentioned at the end).
Therefore, MIME sniffing doesn't occur only when the header "Content-Type" is not present.

Resource: developer.mozilla.org > Content-Type

Paragraph:
"In responses, a Content-Type header tells the client what the content type of the returned content actually is.
Browsers will do MIME sniffing in some cases and will not necessarily follow the value of this header; to prevent this behavior, the header X-Content-Type-Options can be set to nosniff."

kenzotenma
Автор

Thank You SO Much Buddy !
It was fun learning mime Sniff !!
Looking forward to learn more exciting things from you !
Cheers !

athangbachhav
Автор

That's the damn best explanatory video I have ever seen. Subscribed and hope for more content in the future.

Marclisek
Автор

THANK YOU VERY MUCH!
Helps for CTFs which you should do a walk through on!

nemesisc
Автор

Awesome stuff, and nice job keeping it entertaining. Really broke it down eli5 style and helped me out!

georgenam
Автор

Great stuff Buddy, You really cleared my doubt. Thaks for this great video.

dineshsharma
Автор

Nice video again 👌 Does common web servers such as node http-server and apache web server adds the content-type automatically while serving the static files?

palaniappanrm
Автор

Thanks for explaining in such a great way.

shayansec
Автор

Great explanation, Thank you very much

salsalsal
Автор

Great video, you explain very well! I just think it would be much better for the listener if you had a proper microphone.
The use of gliffy could be improved using powerpoint but it's rather amusing to see your interaction with the material.

Thank you!

Davidepalte
Автор

I'm having trouble with this in an SSR app, particularly getting images to show in my views/*.ejs files. Or loading any static resource like css, javascripts, images .

Resource from was blocked due to MIME-Type ("text/html") mismatch (X-content-type-options: nosniff)

I am using helmet with express, could that be the reason?

Is it because my /views/ directory is behind or on the same level as my /public/ directory in terms of relative paths.

Appreciate the vids my dude, every time I have a weird problem, you always have a video explaining it, props.

tyrrelldavis
Автор

So You Told Tht It Run Badjs but where is the Badjs file (script file) located?? in your server right???

age
Автор

Nice video! But you siad devs don't want to create a MIME-Type for each of their files. So what happens if they activate the No-Sniffing header, that means they need to set the MIME-Type for each file they serve, no?

yadusolparterre
Автор

Nice video, i have read lot of documents but i didnt understand what it is exactly. But now i understood. Could u please make more video on security point like x-frame-option, x-xss-protection etc.So it will beneficial for us. Thank you.

sundaramjha
Автор

i really like your video fun way to learn

abe