Content types matter more than you think #security

[Azareal]

https://textslashplain.com/2018/01/08/content-types-matter-more-than-you-think/
http://www.thinkfu.com/g00/blog/gifjavascript-polyglots?i10c.encReferrer=&i10c.ua=1&i10c.dv=14
https://github.com/golang/go/issues/24513#issuecomment-387779762
There are plenty of articles on this.

One possible mitigation would be to set the `X-Content-Type-Options: nosniff` HTTP header for all requests to avoid a user uploading an image and tricking the browser into interpreting it as a script or any of the other tricks.

 

[Page]

Until something or someone bypass it then the security has to be rewritten again.

 

[Azareal]

Until something or someone bypass it then the security has to be rewritten again.

I'll try to translate these documents better then:

Mozilla are pretty incompetent in this case, to be honest.
They've been telling people that it's an IE issue in their likely outdated documentation and people just parrot it.

It's a pretty nasty security vulnerability which even lets third party sites or adversaries read arbitrary memory, allowing them to lift passwords, csrf tokens, and whatever else.
Google recommended to use nosniff for all requests which a non-empty body.

Also, no security is perfect, but if it can stop those response bodies from being sniffed, then that's a lot of code paths which won't be hit.
As for a forum, someone can just upload an image with a script embedded in the meta-data for the thing and it'll slip right by your defences without the header.

When I heard about the vulnerability, it almost gave me a heart attack (not literally) and I pushed a security patch within half an hour.