Cross-Site Scripting Using MIME Type Mismatch
Attack Pattern ID: 209 (Standard Attack Pattern Completeness: Complete)Typical Severity: MediumStatus: Draft
+ Description


An attacker creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. Some browsers will detect that the specified MIME type of the file does not match the actual type of the content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the attacker's script may run on the target unsanitized. For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked. In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters. In a cross-site scripting attack, the attacker tricks the victim into accessing a URL that uploads a script file with an incorrectly specified MIME type. If the victim's browser switches to the appropriate interpreter without filtering, the attack will execute as a standard XSS attack, possibly revealing the victim's cookies or executing arbitrary script in their browser.

+ Attack Prerequisites

The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.

The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content.

+ Resources Required

The attacker must have the ability to source the file of the incorrect MIME type containing a script.

+ Related Weaknesses
CWE-IDWeakness NameWeakness Relationship Type
79Failure to Preserve Web Page Structure ('Cross-site Scripting')Targeted
345Insufficient Verification of Data AuthenticityTargeted
646Reliance on File Name or Extension of Externally-Supplied FileTargeted
+ Related Vulnerabilities
Vulnerability IDRelationship Description

Outlook Express 6.00 allows remote attackers to execute arbitrary script by embedding SCRIPT tags in a message whose MIME content type is text/plain, contrary to the expected behavior that text/plain messages will not run script.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern18Embedding Scripts in Nonscript Elements 
Mechanism of Attack (primary)1000
+ References