MIME Sniffing
What is MIME Sniffing?
MIME SniffingBrowser behaviour of guessing a response's content type from its bytes, which can be exploited to execute uploaded files as scripts.
MIME sniffing is a legacy browser feature in which the browser inspects the first bytes of a response and overrides the server-declared Content-Type header to render the resource more usefully. Attackers abuse this when an application serves user-uploaded files with an incorrect type: a file containing HTML or JavaScript may be sniffed as text/html and executed in the victim's origin, enabling stored XSS. The standard mitigation is to send the response header X-Content-Type-Options: nosniff, which forces the browser to respect the declared type. Combine with strict Content-Type values, CSP, and serving user content from a separate origin.
● Examples
- 01
X-Content-Type-Options: nosniff
- 02
An avatar upload endpoint that returns image/png but the file is HTML; without nosniff, browsers execute it as a page.
● Frequently asked questions
What is MIME Sniffing?
Browser behaviour of guessing a response's content type from its bytes, which can be exploited to execute uploaded files as scripts. It belongs to the Application Security category of cybersecurity.
What does MIME Sniffing mean?
Browser behaviour of guessing a response's content type from its bytes, which can be exploited to execute uploaded files as scripts.
How does MIME Sniffing work?
MIME sniffing is a legacy browser feature in which the browser inspects the first bytes of a response and overrides the server-declared Content-Type header to render the resource more usefully. Attackers abuse this when an application serves user-uploaded files with an incorrect type: a file containing HTML or JavaScript may be sniffed as text/html and executed in the victim's origin, enabling stored XSS. The standard mitigation is to send the response header X-Content-Type-Options: nosniff, which forces the browser to respect the declared type. Combine with strict Content-Type values, CSP, and serving user content from a separate origin.
How do you defend against MIME Sniffing?
Defences for MIME Sniffing typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- appsec№ 496
HTTP Security Headers
Response headers that instruct browsers to enforce defensive behaviour such as HTTPS-only, framing restrictions, content policies and referrer controls.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- attacks№ 541
Insecure File Upload
A web vulnerability where an application accepts user-supplied files without proper validation, allowing attackers to upload malicious files that lead to RCE, defacement, or data theft.
- appsec№ 960
Same-Origin Policy (SOP)
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
- appsec№ 982
Secure Coding
The practice of writing source code in ways that minimize security defects, following defensive patterns, language-specific rules and recognized guidelines.