Full Report
The Content-Type response header is used to tell the browser how to render a file. This page is a list of Content-Type header with the format they render that can be used for XSS. It even has a list of browsers that this works on. Many of the types are obvious like text/html as an HTML format. There are even weirder ones referenced too, like text/xsl being rendered as HTML. A space, , and ; can all used as Mime Type separators. For instance, text/plain; x=x, text/html is a valid HTML format when rendered by the browser. Additionally, ( and 0x9 are able to be used as separators. For instance, text/html(xxx is a valid content type that will be render as HTML. A comma can also be used for multiple content types. Typically, the last one is the content type processed. My personal favorite part is that they have links of each content type to a website that will prove that this works on the spot. Amazing and simple resource that I love.
Analysis Summary
# Vulnerability: Cross-Site Scripting (XSS) via Content-Type Header Manipulation
## CVE Details
- **CVE ID**: N/A (General architectural flaw/browser behavior)
- **CVSS Score**: 6.1 (Medium) - *Estimated based on typical XSS impact*
- **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation) / CWE-436 (Interpretation Conflict)
## Affected Systems
- **Products**: Modern and Legacy Web Browsers (Chrome, Firefox, Safari, Edge, IE).
- **Versions**: Various (Behavior depends on the specific rendering engine's MIME-sniffing and parsing logic).
- **Configurations**: Applications that allow user-controlled input to influence the `Content-Type` response header or applications that serve user-uploaded files with weak header enforcement.
## Vulnerability Description
This research highlights how various `Content-Type` headers, some non-standard or obfuscated, can trigger browsers to render content as HTML or execute embedded scripts. The vulnerability lies in the flexible way browsers parse the `Content-Type` header, specifically regarding separators and multiple type declarations.
Key technical findings include:
- **Obscure HTML Rendering**: Headers like `text/xsl`, `text/xml`, and `image/svg+xml` can execute JavaScript.
- **Separator Manipulation**: Browsers may ignore characters following a valid MIME type. Separators such as spaces, commas (`,`), semicolons (`;`), parentheses (`(`), and even null/tab characters (`0x09`) can be used to bypass filters while still causing the browser to render HTML.
- **Header Chaining**: In some instances (e.g., `text/plain; x=x, text/html`), the browser may process the last declared type in a comma-separated list, bypassing security middleware that only inspects the prefix of the header.
## Exploitation
- **Status**: PoC available. The research provides live links demonstrating execution across different browsers.
- **Complexity**: Low.
- **Attack Vector**: Network. An attacker typically needs to influence the header returned by a server or upload a file that the server serves via a misconfigured header.
## Impact
- **Confidentiality**: Low/Moderate (Session cookie theft via XSS).
- **Integrity**: Low/Moderate (Unauthorized actions on behalf of the user).
- **Availability**: None.
## Remediation
### Patches
This is not a single software bug but a protocol/parsing behavior. Remediation must occur at the application and server configuration level.
### Workarounds
- **X-Content-Type-Options**: Strictly enforce headers by setting `X-Content-Type-Options: nosniff`. This prevents browsers from "guessing" the content type and deviating from the server-provided header.
- **Content Security Policy (CSP)**: Implement a strong CSP to restrict the execution of inline scripts and unauthorized external scripts.
- **Strict Validation**: Explicitly validate and whitelist allowed `Content-Type` values. Avoid using user input directly in the header.
- **Sanitization**: If serving user-generated content, use a "Download" treatment via `Content-Disposition: attachment; filename="file.ext"` to prevent the browser from rendering it in the document context.
## Detection
- **Indicators of Compromise**: Presence of multiple MIME types in a single `Content-Type` header or unusual characters (like `(` or `0x09`) within the header value.
- **Detection Methods**:
- Web Application Firewalls (WAF) should be configured to flag or block `Content-Type` headers containing non-standard separators.
- Periodic scanning of application responses for unexpected `text/html` or `text/xml` rendering on endpoints intended for data/plain text.
## References
- **Original Research**: hxxps[://]github[.]com/BlackFan/content-type-research/blob/master/XSS[.]md
- **Mozilla MIME Sniffing Documentation**: hxxps[://]developer[.]mozilla[.]org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types
- **OWASP XSS Prevention Cheat Sheet**: hxxps[://]cheatsheetseries[.]owasp[.]org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet[.]html