Re: [websec] Content sniffing

Adam Barth <ietf@adambarth.com> Mon, 09 July 2012 21:05 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 864FF11E81CA for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 14:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZLkM4Pr0LrM for <websec@ietfa.amsl.com>; Mon, 9 Jul 2012 14:05:34 -0700 (PDT)
Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id E3FA411E8171 for <websec@ietf.org>; Mon, 9 Jul 2012 14:05:33 -0700 (PDT)
Received: by ggnc4 with SMTP id c4so11591036ggn.31 for <websec@ietf.org>; Mon, 09 Jul 2012 14:05:59 -0700 (PDT)
Received: by 10.236.165.102 with SMTP id d66mr46873404yhl.54.1341867959548; Mon, 09 Jul 2012 14:05:59 -0700 (PDT)
Received: from mail-gh0-f172.google.com (mail-gh0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id v61sm65085593yhi.17.2012.07.09.14.05.58 (version=SSLv3 cipher=OTHER); Mon, 09 Jul 2012 14:05:58 -0700 (PDT)
Received: by ghbg16 with SMTP id g16so11607598ghb.31 for <websec@ietf.org>; Mon, 09 Jul 2012 14:05:57 -0700 (PDT)
Received: by 10.60.2.34 with SMTP id 2mr43768871oer.71.1341867957027; Mon, 09 Jul 2012 14:05:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.226.5 with HTTP; Mon, 9 Jul 2012 14:05:26 -0700 (PDT)
In-Reply-To: <CC7E8027-2CCE-41B7-9244-1638C15830A5@bbn.com>
References: <CC7E8027-2CCE-41B7-9244-1638C15830A5@bbn.com>
From: Adam Barth <ietf@adambarth.com>
Date: Mon, 9 Jul 2012 14:05:26 -0700
Message-ID: <CAJE5ia-qAyM1v9JrKJaO6ORi48oVFfk9x13Pw48M8SnB746D9g@mail.gmail.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: websec@ietf.org
Subject: Re: [websec] Content sniffing
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 21:05:34 -0000

Why is this sniffing gone awry?  Nothing bad seems to have happened in
this example.

Adam


On Mon, Jul 9, 2012 at 1:55 PM, Richard L. Barnes <rbarnes@bbn.com> wrote:
> Related to draft-ietf-websec-mime-sniff, an example of sniffing gone awry:
> <http://lcamtuf.coredump.cx/squirrel/>
>
> It's a valid JPEG image that contains and HTML snippet in a comment segment.  As a result, when a browser loads the URL expecting an image, it renders the image content, and when it expects HTML, it skips the binary junk at the top and renders the HTML [*]. (In both cases, the server reports Content-Type text/html.)   What's even more startling is that Chrome helpfully adds the binary junk at the top as the first child of the <body> element in the parsed DOM!
>
> --Richard
>
>
> [*] At least in Chrome 20.0.1132.47
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec