Example: Let's save the below HTML content as the zip file (test.zip)
<html>
<head>
<script type="text/javascript" >
alert("OK");
</script>
</head>
<body>
</body>
</html>
When you browse the file "test.zip" from your IE browser you will get an alert popup with message "OK" instead of downloading it eventhough the content-type sent by server is "application/x-zip-compressed" and extension is zip.
Now change the content of the file with some normal plain text and browse it. This time you will that it is prompting for download(see as below)
Now we can conclude here as per the above example that the browser does the content checking to decide the content type of the received file before rendering.
It means a channel is open for cross-site-scripting(XSS). Any attacker can play with the content of the file, hence the web application is vulnerable. To overcome on this vulnerability, first Microsoft introduced the below HTTP header with directive "nosniff" which tells the browser to not check the content type of the file and just trust content-type sent by the web server, and later the almost browser implemented this HTTP header.
X-Content-Type-Options : nosniff
No comments:
Post a Comment