MIME-type sniffing is a typical feature in browsers that allows them to identify an acceptable method to display data when the HTTP headers given by the server are inconclusive or absent.
This enables earlier versions of Internet Explorer and Chrome to do MIME-sniffing on the response body, potentially leading it to be interpreted and presented as a content type other than the intended content type.
When a website allows users to post material, that content is subsequently published on the webserver, a problem develops. If an attacker can carry out an XSS (Cross-site Scripting) attack by manipulating the content in such a way that it is accepted by the web application and rendered as HTML by the browser, it is possible to inject code in, say, an image file and force the victim to execute it simply by viewing the image.
Remediation
- When providing resources, make certain that the content-type header matches the type of resource being provided. If you are providing an HTML page, for example, you should provide the HTTP header:
Content-Type: text/html
- Add the X-Content-Type-Options header with the value “nosniff” to instruct the browser to trust what the site has supplied as the correct content-type and not attempt to “sniff” the true content-type.
X-Content-Type-Options: nosniff
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.