Skip to content

DeadmanXXXII/Mr.Mime

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

Mr.Mime

MIME Content Alterations: Attacks, Bypasses, and Exploits

Introduction

MIME (Multipurpose Internet Mail Extensions) types define how a browser handles and interprets files. MIME misconfigurations can lead to content execution vulnerabilities, security bypasses, and arbitrary file execution.

Threat Overview

Attackers abuse MIME weaknesses for:

Cross-Site Scripting (XSS)

File Upload Exploits

Remote Code Execution

Web Cache Poisoning

MIME Sniffing Attacks

This write-up covers: βœ… Basic MIME Security Risks βœ… Advanced Bypasses for MIME Restrictions βœ… Live Proof of Concepts (PoCs)

  1. Basic MIME-Based Attacks

1.1. MIME Type Spoofing

Many servers determine a file's type based on extension, instead of verifying MIME headers. πŸš€ Attack: Uploading an HTML file disguised as an image.

PoC: Uploading a disguised file

  1. Save a malicious HTML file as evil.png:
<!-- Filename: evil.png -->
<script>alert('XSS Attack!');</script>
  1. Intercept the request (Burp Suite) and change:

Content-Type: image/png

  1. If the server serves this as an image but the browser sniffs and executes the script, it's vulnerable.

πŸ’‘ Fix: Validate MIME type after upload, before serving.

1.2. MIME Sniffing Attack

Browsers sometimes guess content types based on content rather than headers. πŸš€ Attack: Force a JavaScript file to execute when it's treated as an image.

PoC: Using MIME Sniffing to Execute JS

<!-- Saved as attack.png -->
<script>alert('MIME Sniffing Exploit!');</script>

  1. If X-Content-Type-Options: nosniff is not set, the browser may execute attack.png as JavaScript.

  2. A victim loading:

<script src="https://vulnerable.com/uploads/attack.png"></script>

could execute arbitrary JavaScript.

πŸ’‘ Fix: βœ… Enforce X-Content-Type-Options: nosniff. βœ… Block JS execution in image directories.

1.3. SVG Injection for Persistent XSS

SVG files support JavaScript, making them an excellent XSS vector. πŸš€ Attack: Upload an SVG file with embedded JavaScript.

PoC: SVG XSS Attack

<svg xmlns="http://www.w3.org/2000/svg">
  <script>alert('XSS via SVG!');</script>
</svg>

  1. If uploaded and served as an image, browsers execute the JavaScript.

  2. If CSP allows inline scripts, XSS occurs.

πŸ’‘ Fix: βœ… Sanitize SVG uploads. βœ… Serve SVGs as Content-Disposition: attachment to prevent inline rendering.

  1. Advanced MIME Defense Bypasses

2.1. Bypassing X-Content-Type-Options: nosniff

If a site enforces nosniff, attackers can trick browsers into interpreting a different MIME type. πŸš€ Attack: Use double extension tricks.

PoC: Fake Image Execution

  1. Upload a JavaScript file disguised as an image:
payload.png.js

invoice.pdf.html
  1. If the site only checks extensions, browsers may execute:
<script src="https://target.com/uploads/payload.png"></script>

πŸ’‘ Fix: βœ… Enforce server-side MIME validation (not just file extensions). βœ… Use Content-Disposition: attachment for user-uploaded files.

2.2. Polyglot Files (Multiple MIME Interpretations)

Polyglot files work as multiple formats at the same time. πŸš€ Attack: Smuggle JavaScript inside a valid image or PDF.

PoC: Image+HTML Polyglot

Create a file that is both an image and executable HTML:

ÿØÿà   <!-- JPG Header -->
<script>alert('Polyglot Attack!');</script>

  1. If browsers treat this as image/jpeg, it looks normal.

  2. If forced into an iframe, some browsers execute the script.

πŸ’‘ Fix: βœ… Use strict MIME validation tools like file --mime in Linux.

2.3. Web Cache Poisoning via MIME Mismatch

πŸš€ Attack: Cache an HTML page with a wrong MIME type, forcing execution later.

PoC: Poisoning the Cache

  1. Upload:
Content-Type: text/plain

Response stores an HTML page in cache.

  1. Later, it’s served as:
Content-Type: text/html

🚨 The browser now executes previously safe content as HTML.

πŸ’‘ Fix: βœ… Set Vary: Accept-Encoding to prevent caching manipulations. βœ… Use strong cache-control policies for dynamic content.

  1. Real-World Exploit Cases

πŸ”΄ Case 1: Facebook CDN XSS via MIME Sniffing

Facebook once served user-uploaded JavaScript files as text/plain.

Attackers tricked browsers into executing them via MIME sniffing.

🟠 Case 2: Google Docs File Execution

Google Drive once allowed HTML execution when renaming a file with an .html extension.

Attackers hosted phishing pages that bypassed CSP protections.

Final Thoughts

How to Prevent MIME Attacks

πŸ›‘οΈ 1. Enforce X-Content-Type-Options: nosniff. πŸ›‘οΈ 2. Validate file types beyond extensions. πŸ›‘οΈ 3. Use strict Content-Disposition to prevent inline execution. πŸ›‘οΈ 4. Restrict untrusted uploads using file signatures. πŸ›‘οΈ 5. Harden web caching to prevent MIME mismatches.

πŸš€ Bug bounty hunters: MIME misconfigurations still exist on major platforms. Are you testing for them?

#CyberSecurity #BugBounty #WebSecurity #MIMEAttacks #EthicalHacking

About

MIME CONTENT ALTERATIONS

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published