Content sniffing also known as Mime Sniffing is the practice of inspecting the content of a byte stream to attempt to deduce the file format of the data within it. Many HTTP servers supply a Content-Type that does not match the actual contents of the response. If an attacker manipulates the content in a way to be accepted by the web app and rendered as HTML by the browser, it is possible to inject malicious code.
- Browser second-guesses Content-Type header
- Looks at response content, URI and also tag that initiated the request
- An attacker can trick older browsers into guessing the wrong Content-Type
1) When serving resources, make sure you send the content- type header to appropriately match the type of the resource being served.
2) Add the X-Content-Type-Options header with a value of “nosniff” to inform the browser to trust what the site has sent is the appropriate content-type, and to not attempt “sniffing” the real content-type.
3) Parse the content of the file for any unexpected input.
4)Have browser prompt for download:
Content-Disposition: attachment; filename=data.json