Firefox Adds Protection for MIME Confusion Attacks

Share this…

New MIME confusion attack mitigations added to Firefox 50. Starting with Firefox 50, the browser will feature improved mitigation against MIME confusion attacks, preventing a threat actor from disguising malicious code as other files, mostly images.

Whenever the browser receives a file from the server, Firefox will check the server response for the Content-Type header, which tells it what kind of file it downloaded, like “image/jpeg” or “text/json”.

But not all servers are correctly configured, and sometimes this response is incorrect, or absent altogether.

In these cases, browsers use a technique called MIME sniffing to detect the file type value. They sniff the first few bytes of a file, and they also use the “load context,” meaning the source of the load request. If it’s an IMG tag, then the file is likely an image, and the browser deals with it accordingly, sending it to the multimedia processing component instead of its JavaScript or rendering (CSS) engine.

Unfortunately, this opens the door for MIME confusion attacks on improperly configured servers, or the ones that feature the “X-Content-Type-Options: nosniff” setting.

MIME confusion attacks leveraged to deliver XSS/CSRF code

For example, a MIME confusion attack occurs when an attacker changes the file extension and alters the first few bites of a JavaScript file, enough to fool a server and browser into thinking it’s an image.

He uploads the image on the target server, and the server thinks it’s an image and saves it in its database. When the file is delivered to other users (as an avatar image for example), the malicious code executes and triggers an XSS or CSRF attack inside the user’s browser.

According to Christoph Kerschbaumer, Security & Privacy Engineer at Mozilla, starting with Firefox 50, the browser will enforce a series of rules to prevent this from happening.

These rules will apply when the server, for various reasons was misconfigured to use the “X-Content-Type-Options: nosniff” setting.

Firefox 50 will use a strict “context load” approach. This means that if the advertised file type is not what the browser expects, Firefox will refuse to load it, and eliminate the risk of an attacker compromising a misconfigured server. This does not eliminate MIME confusion attacks but severely reduces the attack surface.

Filter Valid Content-Types
Stylesheet (CSS) “text/css”
Images Must start with “image/”
Scripts (JS) – “application/javascript”
– “application/x-javascript”
– “application/ecmascript”
– “application/json”
– “text/ecmascript”
– “text/javascript”
– “text/json”

If these rules aren’t met, Firefox 50 will refuse to load the file and show an error in the browser’s console, like the one below.

Firefox console error for possible MIME confusion attacks

Firefox console error for possible MIME confusion attacks