Why does Content-Type and Extension matter?
Applications come in many different shapes and sizes and XSS can occur all over the place. It's easy to assume that just because an application returns you a response with unfiltered/unencoded output you've found an exploitable XSS issue but this is often not the case. Browsers render content based on a number of factors including content-type returned by the server, page content and page extension, without the correct combination XSS won't be possible.
To try and get a definitive answer of what works and what doesn't I thought I'd do some testing. I used multiple file types each containing their legitimate content however I also embedded a JavaScript alert payload in each. Each test case was ran against Chrome 43, IE 11 and Firefox 39. In the tables below "yes" means the payload rendered and "no" means it didn't.
In the first test I forced the server to return the correct extension and content-type for each test page.
Content-Type
|
Extension | Chrome | IE | Firefox |
|---|---|---|---|---|
| None | None | yes | yes | yes |
| text/plain | txt | no | no | no |
| text/html | html | yes | yes | yes |
| application/javascript | js | no | no | no |
| application/json | json | no | no | no |
| application/xml | xml | yes | yes | yes |
| text/css | css | no | no | no |
| image/jpeg | jpeg | no | no | no |
Following best practice modern browsers appeared to be pretty secure. The one exception appears to be XML, it seems odd that the browser would allow the rendering of JavaScript in an XML file.
Test #2 - Modifying Extension
In the second test I made the server return the correct content-type but forced a .html extension.
Content-Type
|
Extension | Chrome | IE | Firefox |
|---|---|---|---|---|
| None | html | yes | yes | yes |
| text/plain | html | no | no | no |
| text/html | html | yes | yes | yes |
| application/javascript | html | no | yes | no |
| application/json | html | no | no | no |
| application/xml | html | yes | yes | yes |
| text/css | html | no | no | no |
| image/jpeg | html | no | no | no |
This test seemed to show that browsers will prioritize the use of the content-type over the extension.
Test #3 - Using a text/html Content-Type
In the third test I used the correct extension for each file but made the server return a text/html content-type.
Content-Type
|
Extension | Chrome | IE | Firefox |
|---|---|---|---|---|
| text/html | None | yes | yes | yes |
| text/html | txt | yes | yes | yes |
| text/html | html | yes | yes | yes |
| text/html | js | yes | yes | yes |
| text/html | json | yes | yes | yes |
| text/html | xml | yes | yes | yes |
| text/html | css | yes | yes | yes |
| text/html | jpeg | yes | no | yes |
It looks like browsers rely heavily on the content-type returned by the server. It doesn't matter about the extension or contents of the file, the browser will blindly follow the content-type returned.
Test #4 - Using a text/plain Content-Type
Next I used the correct extension for each file but made the server return a text/plain content-type.
Content-Type
|
Extension | Chrome | IE | Firefox |
|---|---|---|---|---|
| text/plain | txt | no | no | no |
| text/plain | html | no | no | no |
| text/plain | js | no | no | no |
| text/plain | json | no | no | no |
| text/plain | xml | no | no | no |
| text/plain | css | no | no | no |
| text/plain | jpeg | no | no | no |
When using a content-type of text/plain none of the payloads executed. I can't remember for sure, but I believe in the past text/plain used to allow XSS? Looks like this is no longer possible.
Test #5 - MIME sniffing
In this last test case I accessed a page that had no extension and received no content-type header from the server. This should have caused the browser to fall back on mime sniffing to render the page.
MIME
| Content-Type | Extension | Chrome | IE | Firefox |
|---|---|---|---|---|---|
| text/plain | None | None | no | yes | no |
| text/html | None | None | yes | yes | yes |
| application/javascript | None | None | yes | yes | yes |
| application/json | None | None | no | yes | no |
| application/xml | None | None | no | yes | no |
| text/css | None | None | no | yes | no |
| image/jpeg | None | None | no | no | no |
Both Chrome and Firefox refused to render pages that contained additional non-html content. IE however didn't seem to care what the page content was, if it contained HTML it rendered!
Conclusion
Performing application testing on a regular basis I find content-type and extension XSS issues arise quite a lot. This test showed that modern browsers are relatively secure as long as the correct content-type is returned. All browsers also seemed to implement the same analysis techniques aside from IE which seemed slightly more permissive.
Hopefully you guys have found this post useful, if anyone has any suggestions for bypasses to achieve XSS in any of the above, or if I've listed any findings incorrectly (quite possible) drop me a message below :)
Pwndizzle out.
Thanks, very useful information!
ReplyDeleteit was useful for me
ReplyDeleteBy the way, this information will help you to write an abstract for a dissertation. It's important to know
ReplyDeleteGiven article is very helpful and very useful for my admin, and pardon me permission to share articles here hopefully helped :
ReplyDeleteCara Mengobati BAB Berdarah Secara Alami
Cara Menyembuhkan Syaraf Kejepit Secara Alami
Awesome! We’re looking forward your blog
ReplyDeleteI have some suggestions. Here is a blog - Photo editing & photography tips.
This may help you to find something useful
This comment has been removed by the author.
ReplyDeleteIn this post I'll look at which Content-Types and Extensions can actually be used for XSS in modern browsers.
ReplyDeleteDissertation VS Thesis
A paper that determines or describes a specific term is called a definition essay. At first, it seems that there is nothing easier than creating such an academic work. However, you can always buy definition essay.
ReplyDeleteThanks for sharing this nice post. I am surprised to see your work. You shared an informative post. I appreciate you for your good work. Carry on your journey of hard work. Get help from dissertation proposal writing services, a distinctive writing company UK
ReplyDeleteWe support all types of HP printer troubleshooting and service. Just enter the model number of your printer in 123.hp.com/setup to identify the software and drivers your printer requires. Download and install it in your mac and 'Run' the file. The process is easy however if you have any doubts or queries regarding HP printers contact us.
ReplyDeleteWhat a nice blog! I have enjoyed reading through the article although I landed on this site while I was looking for research paper writing, which to which speech time calculator concluded. I will be visiting this site occasionally to read more interesting and intriguing articles. I hope the writer will continually keep us updated with new information.
ReplyDeleteVery nice blog,
ReplyDeleteThanks for sharing grate information.
From: Laptop Technicians
Looking for academic assistance? click this link now It is a place where you’ll get great papers for a reasonable price.
ReplyDeleteSometimes it's a great idea to check some interesting blogs. As well, people can help each other. For example, I prepare some samples of interview paper. It can be a beneficial item for students.
ReplyDeleteIf you're looking to lose fat then you certainly need to try this totally brand new custom keto meal plan.
ReplyDeleteTo produce this keto diet service, licenced nutritionists, personal trainers, and cooks joined together to provide keto meal plans that are useful, convenient, cost-efficient, and enjoyable.
From their first launch in early 2019, hundreds of individuals have already remodeled their body and well-being with the benefits a good keto meal plan can offer.
Speaking of benefits; in this link, you'll discover 8 scientifically-tested ones offered by the keto meal plan.
Such a nice blog you have shared here. Thanks for sharing about this with us.
ReplyDeletePlease visit Call Girls in Kolkata to know why The Call girls in Kolkata are known for their dusky and fair skin tone and you can take the service from any of them according to your wish.
Call girls Kolkata
kolkata call girls
independent call girls in kolkata
high profile call girls in kolkata
escorts in kolkata
photo of call girls in kolkata
call girl services in kolkata
top class Kolkata call girls
air hostess escorts in kolkata
college escorts in kolkata
Kolkata call girls gallery
Photo Gallery of Kolkata Call Girls
Thanks for all the tips mentioned in this article! it???s always good to read things you have heard before and are implementing, but from a different perspective, always pick up some extra bits of information. Visit@:- mcafee.com/activate | office.com/setup | adviser for you || Webroot.com/safe | mcafee.com/activate | norton.com/setup
ReplyDeleteIf you are looking for the law assignment help then in this case you can opt for our Law Assignments help .we provide the best Online law assignment help.We also provide Criminal Law Assignment Help for students across the globe. for more information contact us +16692714848.
ReplyDeleteZic Info (Health & Fitness)
ReplyDeleteThanks For Sharing This Brilliant Article... I have you bookmarked to check your new posts
we appreciate you for this article. if you are interested in bitcoin and want to buy in India then you should know "Is Bitcoin legal in India" and "Is BItcoin allowed in India". here we provide you all about bitcoin and crypto news that's encourage you to invest in.
ReplyDeleteThanks for writing this! It’s exactly how I feel about it! It’s extremely annoying how so many people cheat just to make themselves “look good” .
ReplyDeleteFree WordPress Themes
Free WordPress Portfolio Themes
WebFreeThemes