MIME sniffing is a browser behavior where the browser analyzes the actual content of a response to determine its type, overriding or supplementing the Content-Type header declared by the server. While intended to handle misconfigured servers gracefully, this behavior introduces security risks when attackers can influence the content being served.
How It Works
When a server responds with a missing, empty, or ambiguous Content-Type header, browsers apply MIME sniffing algorithms to determine how to process the response. The browser examines the first bytes of the content, looking for signatures (magic bytes) that identify known file formats. If the browser detects HTML content in a response served as text/plain, it may render that content as HTML.
This creates an attack vector in applications that allow file uploads or user-generated content. An attacker can upload a file with a .txt or .jpg extension that actually contains HTML and JavaScript. When another user accesses this file, the browser sniffs the content, determines it contains HTML, and renders it accordingly — executing the embedded script in the context of the application's origin.
The attack is particularly effective against applications that serve user-uploaded content from the same domain as the main application. Even if the server correctly sets the Content-Type to text/plain or image/jpeg, a browser performing MIME sniffing may override this and execute the malicious content.
Prevention
The X-Content-Type-Options: nosniff response header instructs browsers to strictly follow the declared Content-Type and not perform MIME sniffing. This single header eliminates the attack vector. Additionally, serving user-uploaded content from a separate domain or subdomain prevents any executed scripts from accessing the main application's cookies and session data. Always setting accurate Content-Type headers provides defense in depth.
Why It Matters
MIME sniffing turns seemingly harmless file hosting into a cross-site scripting vector. Applications that handle user uploads without the nosniff header expose their users to script execution attacks through files that appear safe based on their extension and declared content type.
Need your application tested? Get in touch.