Detailedseverity: MediumDraft

CAPEC-209XSS Using MIME Type Mismatch

Abstraction
Detailed
Status
Draft
Severity
Medium

Description

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.

Related weaknesses· 3

CWE-79CWE-20CWE-646

Related attack patterns· 1

CAPEC-592 (ChildOf)

Exploits3

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-79100%live
WeaknessReliance on File Name or Extension of Externally-Supplied Filecwe-646100%live
WeaknessImproper Input Validationcwe-20100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Cross-Site Scripting (XSS)
CAPEC
XSS Through HTTP Query Strings
CAPEC
XSS Targeting Non-Script Elements
CAPEC
XSS Targeting URI Placeholders
CAPEC
DOM-Based XSS
CAPEC
Reflected XSS
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.