New MIME confusion attack mitigations added to Firefox 50. Starting with Firefox 50, the browser will feature improved mitigation against MIME confusion attacks, preventing a threat actor from disguising malicious code as other files, mostly images.
Whenever the browser receives a file from the server, Firefox will check the server response for the Content-Type header, which tells it what kind of file it downloaded, like “image/jpeg” or “text/json”.
But not all servers are correctly configured, and sometimes this response is incorrect, or absent altogether.
Unfortunately, this opens the door for MIME confusion attacks on improperly configured servers, or the ones that feature the “X-Content-Type-Options: nosniff” setting.
MIME confusion attacks leveraged to deliver XSS/CSRF code
He uploads the image on the target server, and the server thinks it’s an image and saves it in its database. When the file is delivered to other users (as an avatar image for example), the malicious code executes and triggers an XSS or CSRF attack inside the user’s browser.
According to Christoph Kerschbaumer, Security & Privacy Engineer at Mozilla, starting with Firefox 50, the browser will enforce a series of rules to prevent this from happening.
These rules will apply when the server, for various reasons was misconfigured to use the “X-Content-Type-Options: nosniff” setting.
Firefox 50 will use a strict “context load” approach. This means that if the advertised file type is not what the browser expects, Firefox will refuse to load it, and eliminate the risk of an attacker compromising a misconfigured server. This does not eliminate MIME confusion attacks but severely reduces the attack surface.
||Must start with “image/”
If these rules aren’t met, Firefox 50 will refuse to load the file and show an error in the browser’s console, like the one below.
Firefox console error for possible MIME confusion attacks