Support Article

MIME sniffing has not been disabled for HTTP responses.

SA-34536

Summary



MIME sniffing has not been disabled for HTTP responses which is a possible security threat.


Error Messages



Not Applicable


Steps to Reproduce



Not Applicable


Root Cause



Each type of file delivered from a web server has an associated MIME type (also called a “content-type”) that describes the nature of the content such as image, text, application, and so on.

For compatibility
reasons, Internet Explorer has a MIME-sniffing feature that will attempt to determine the content-type for each downloaded resource.

In some cases, Internet Explorer reports a MIME type different than the type specified by the web server.

For example, if Internet Explorer finds HTML content in a file delivered with the HTTP response header Content-Type: text/plain, Internet Explorer determines that the content should be rendered as HTML. However, MIME-sniffing can also lead to security problems.

That is, Internet Explorer could misinterpret the content-type of a page and cause undesirable e
ffects.

For instance, an attacker could upload a specially crafted file
that contained script content, and then send a link to the file to unsuspecting victims.

When the victim visits the server using Internet Explorer, the malicious file would be misinterpreted as text/html and executed c
lient-side.

This script could then steal the victim’s cookies, generate
a phony page, and so on, ASVS 2016 Check: V11.6 (L1,2,3).

Resolution



Install HFix-26866 and update the value of below DSS Setting:

Owning RuleSet: Pega-RulesEngine
Setting Purpose: http/responseHeaders
Value: {"X-Content-Type-Options":"nosniff"}


Published March 6, 2017 - Updated March 16, 2017

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.