Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Content Type Spoofing


Content Type Spoofing

By ghostghost | 7007 Reads |
0     0

Often profile sites allow you to include music or an video. This however, can be an security risk when it is not properly implented. Even when all input is filtered, and with all (special character) output is encoded, we can initialize an XSS or CSRF atack using flash.

The music or video is often included in the profile with the tag. This tag is dangerous when it is not used with the type, which set's the content type of the target source.

The content type is an indicator for a webbrowser how the downloaded content should be handled. We obiuosly dont want to get an flash file included. That's why the .swf is disallowed. This must be secure because we can't include a flash file then, or can we? The answer is that we still can. By setting a response-header the Content-Type to application/x-shockwave-flash.

So if we upload an php script that sets the header and the send's the 'evil' flash file, the game would be over.

I shall provide u with an example of such a script. It contains the flash file base encoded, because of the characters it contains are not alphanumeric.

I hope u enjoyed my article and that I could make it a bit clear how it works, or maybe you allready knew it ;), anyways, please rate the article.

Comments
ghost's avatar
ghost 17 years ago

This can also be done with the "tamper data" firefox extension, which allows you to modify any posted content. You might be able to do it with livehttpheaders too.

ghost's avatar
ghost 17 years ago

no, it cannot, tamper data tampers with the outgoing REQUEST, here we spoof the RESPONSE from the webserver

ghost's avatar
ghost 17 years ago

I don't quite get what you are getting at, all you've really shown is that you can run PHP when certain files are viewed which is not really content-type spoofing

SySTeM's avatar
SySTeM 17 years ago

You realize, even if you didn't have the logger in place, and it was actually just a SWF file, you could still get IPs from it, just check the access logs to see who's viewed it…

ghost's avatar
ghost 17 years ago

yes i know, or an img tag pointing to an php script. But i included it so u could see who loaded he flash file….

ghost's avatar
ghost 17 years ago

what kind of fools would let you upload a php script in the first place? lol

ghost's avatar
ghost 17 years ago

lol, a hosting company like freewebs,maybe ?