Mime Types tell browsers what type of file they are receiving from your site. A web page would typically tell browsers they were receiving http (mime type text/html) while a PDF ******** should have a PDF mime type (application/pdf). Sometimes, an application will send an incorrect mime type (like specifying text instead of image) or will send none at all.
Mime Types and Application Security
Invalid or missing Mime types can lead to a variety of vulnerabilities. On the benign end, it can cause your web pages to display incorrectly in some browsers, as they try to display text as an image or an image as text. They can also open your site to a cross site scripting attack. For example, internet explorer may guess a mime type when one is not given by the server. If the file being looked at is an image, IE may display it as text. An attacker could take advantage of this to craft a special image which would damage your visitor's computer.
How Does this Impact my Security?
Lower impact mime types are not known to allow cross site scripting or injection attacks. More likely caused by serving some code snippets as text rather than programming (such as JavaScript). It is a best practice to correct these types of errors wherever possible, and it is generally an easy and non-impactful change.
Higher impact mime types are renderables (such as an image with an incorrect mime type). These can be used to create cross site scripting attacks, or other attack vectors against your site. These mime types should be updated to reflect the correct type as soon as possible.
Correcting Mime Types in Your Application
Check the pages listed in a scan of your site for Mime Type strings. Ensure they are serving the proper type. You can also include a local Apache configuration file in each directory to automatically set mime types. You can view a sample here: Sample .htaccess file
Mime types are defined in HTML code when including another type of content. For example, when including JavaScript code, be sure to use tags like the following:
Here the type field is the mime type definition. Missing this type filed leads to missing mime types, while including the wrong type leads to incorrect Mime types
Mime Types and Application Security
Invalid or missing Mime types can lead to a variety of vulnerabilities. On the benign end, it can cause your web pages to display incorrectly in some browsers, as they try to display text as an image or an image as text. They can also open your site to a cross site scripting attack. For example, internet explorer may guess a mime type when one is not given by the server. If the file being looked at is an image, IE may display it as text. An attacker could take advantage of this to craft a special image which would damage your visitor's computer.
How Does this Impact my Security?
Lower impact mime types are not known to allow cross site scripting or injection attacks. More likely caused by serving some code snippets as text rather than programming (such as JavaScript). It is a best practice to correct these types of errors wherever possible, and it is generally an easy and non-impactful change.
Higher impact mime types are renderables (such as an image with an incorrect mime type). These can be used to create cross site scripting attacks, or other attack vectors against your site. These mime types should be updated to reflect the correct type as soon as possible.
Correcting Mime Types in Your Application
Check the pages listed in a scan of your site for Mime Type strings. Ensure they are serving the proper type. You can also include a local Apache configuration file in each directory to automatically set mime types. You can view a sample here: Sample .htaccess file
Mime types are defined in HTML code when including another type of content. For example, when including JavaScript code, be sure to use tags like the following:
Kod:
<script type="text/javascript">
