MIME Sniffing

Abstract:

The web.config file does not include the required header to mitigate MIME sniffing attacks

Explanation:

MIME sniffing, is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it.

If MIME sniffing is not explicitly disabled, some browsers can be manipulated into interpreting data in a way that is not

intended, allowing for cross-site scripting attacks.

For each page that could contain user controllable content, you should use the HTTP Header X-Content-Type-Options: nosniff.

Recommendations:

To mitigate this finding, the programmer can either: (1) set it globally for all pages in the application in the web.config file, or (2)

set the required header page by page for only those pages that might contain user-controllable content.

To set it globally add the header in the web.config file for the application being hosted by Internet Information Services (IIS):

<system.webServer>

<httpProtocol>

<customHeaders>

<add name="X-Content-Type-Options" value="nosniff"/>

</customHeaders>

</httpProtocol>

</system.webServer>

The following examples shows how to add the header to the global Application_BeginRequest method:

void Application_BeginRequest(object sender, EventArgs e)

{

this.Response.Headers["X-Content-Type-Options"] = "nosniff";

}

The following example shows how to add it to a page by implementing a custom HTTP module using the IHttpModule interface

public class XContentTypeOptionsModule : IHttpModule

{

...

void context_PreSendRequestHeaders(object sender, EventArgs e)

{

HttpApplication application = sender as HttpApplication;

if (application == null) return;

if (application.Response.Headers["X-Content-Type-Options"] != null) return;

application.Response.Headers.Add("X-Content-Type-Options", "nosniff");

}

}