Home > CAPEC List > CAPEC-209: XSS Using MIME Type Mismatch (Version 2.10)  

CAPEC-209: XSS Using MIME Type Mismatch

XSS Using MIME Type Mismatch
Definition in a New Window Definition in a New Window
Attack Pattern ID: 209
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.

+ Attack Prerequisites
  • The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.

  • The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content.

+ Typical Severity


+ Examples-Instances


For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked.


In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters.

+ Resources Required

The adversary must have the ability to source the file of the incorrect MIME type containing a script.

+ References
[R.209.1] [REF-4] "OWASP Testing Guide". Testing for Stored Cross site scripting (OWASP-DV-002). v4 [DRAFT]. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002)>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Activation_Zone, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses, Resources_RequiredInternal
Previous Entry Names
DatePrevious Entry Name
2017-05-01Cross-Site Scripting Using MIME Type Mismatch

More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017