English
Français
Light
Dark
System

CVEFind - Alertes CVE

Restez informé en continue
Créer un compte Ouvrez un compte Simple et Gratuit Se connecter Gérez vos alertes

CAPEC-209

XSS Using MIME Type Mismatch
MEDIUM
Draft
2014-06-23 00:00 +00:00
2022-02-22 00:00 +00:00
CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des alertes

Description

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.

Informations

Execution Flow

1) Explore

[Survey the application for stored user-controllable inputs] Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all areas that allow a user to upload content through an HTTP POST request. This is typically found in blogs or forums.

Technique
  • Use a spidering tool to follow and record all links and analyze the web pages to file upload features
  • Use a proxy tool to record all links visited during a manual traversal of the web application.
  • Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.

2) Experiment

[Probe identified potential entry points for MIME type mismatch] The adversary uses the entry points gathered in the "Explore" phase as a target list and uploads files with scripting content, but whose MIME type is specified as a file type that cannot execute scripting content. If the application only checks the MIME type of the file, it may let the file through, causing the script to be executed by any user who accesses the file.

Technique
  • Upload a script file with a MIME type of text/plain to a forum and then access the uploaded file to see if the script is executed. If possible, the script displays a unique identifier so the adversary knows for certain it was executed when testing.

3) Experiment

[Store malicious XSS content] Once the adversary has determined which file upload locations are vulnerable to MIME type mismatch, they will upload a malicious script disguised as a non scripting file. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from a victim.

Technique
  • Use a tool such as BeEF to store a hook into the web application. This will alert the adversary when the victim has accessed the content and will give the adversary control over the victim's browser, allowing them access to cookies, user screenshot, user clipboard, and more complex XSS attacks.

4) Exploit

[Get victim to view stored content] In order for the attack to be successful, the victim needs to view the stored malicious content on the webpage.

Technique
  • Send a phishing email to the victim containing a URL that will direct them to the malicious stored content.
  • Simply wait for a victim to view the content. This is viable in situations where content is posted to a popular public forum.

Prerequisites

The victim must follow a crafted link that references a scripting file that is mis-typed as a non-executable file.
The victim's browser must detect the true type of a mis-labeled scripting file and invoke the appropriate script interpreter without first performing filtering on the content.

Resources Required

The adversary must have the ability to source the file of the incorrect MIME type containing a script.

Faiblesses connexes

CWE-ID Nom de la faiblesse
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-646 Reliance on File Name or Extension of Externally-Supplied File
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

References

REF-78

OWASP Testing Guide
http://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OWASP-DV-002)

Submission

Name Organization Date Date Release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Activation_Zone, Description Summary, Examples-Instances, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns, Related_Weaknesses, Resources_Required
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Execution_Flow
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Execution_Flow

Plus d'informations
Cliquez sur le bouton à gauche (OFF), pour autoriser l'inscription de cookie améliorant les fonctionnalités du site. Cliquez sur le bouton à gauche (Tout accepter), pour ne plus autoriser l'inscription de cookie améliorant les fonctionnalités du site.