New to CAPEC? Start Here
Home > CAPEC List > CAPEC-209: XSS Using MIME Type Mismatch (Version 3.6)  

CAPEC-209: XSS Using MIME Type Mismatch

Attack Pattern ID: 209
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.
+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.592Stored XSS
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. The adversary identifies a webpage that allows uploading content through an HTTP POST request. This is typically a blog or forum where other users will access the uploaded content.
  1. The adversary creates a file with scripting content that they wish to be executed on other users' web browsers. This file is then uploaded through a POST request and the MIME type is specified as a file type that cannot execute scripting content, such as text/plain.
  2. The adversary then attempts to access the uploaded content to see if the browser correctly executes their desired scripting content
  1. Once the adversary has determined that their uploaded script will run when accessed, they either wait for users to access the content on their own or they target users to access their content through phishing emails.
  2. The adversary's script can do just about anything, but a common use is to read a user's cookies which may contain a token. This can then be used to launch a Cross Site Request Forgery Attack.
+ Prerequisites
The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.
The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content.
+ Resources Required
The adversary must have the ability to source the file of the incorrect MIME type containing a script.
+ Example Instances
For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked.
In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters.
+ References
[REF-78] "OWASP Testing Guide". Testing for Stored Cross site scripting (OWASP-DV-002). v4. The Open Web Application Security Project (OWASP). <>.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses, Resources_Required
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
Previous Entry Names
Change DatePrevious Entry Name
2017-05-01Cross-Site Scripting Using MIME Type Mismatch
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021