我用OWASP ZAP在我的本地主机上做了一些渗透测试,它一直报告这条消息:
反mime嗅探报头X-Content-Type-Options未设置为
“nosniff”
此检查仅针对ie8和谷歌Chrome浏览器。
确保每个页面都设置了内容类型标头和
X-CONTENT-TYPE-OPTIONS,如果Content-Type头未知
我不知道这是什么意思,我在网上也找不到任何信息。我试着补充:
<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />
但我还是收到了警报。
参数的正确设置方法是什么?
X-Content-Type-Options HTTP响应报头是一个标记,服务器使用它来指示在Content-Type报头中发布的MIME类型不应该被更改,并且应该被遵循。这允许您选择退出MIME类型嗅探,或者换句话说,这是一种说网站管理员知道他们在做什么的方式。
语法:
X-Content-Type-Options: nosniff
指令:
nosniff
如果请求类型为,则阻塞请求
而MIME类型不是“text/css”,或者
而MIME类型不是JavaScript的MIME类型。
注意:nosniff只适用于“脚本”和“样式”类型。此外,将nosniff应用于图像也被证明与现有的网站不兼容。
规格:
https://fetch.spec.whatwg.org/#x-content-type-options-header
防止在没有发送mimetype的地方嗅探内容
Ubuntu 20.04 - apache 2.4.41的配置:
启用headers模块
$ sudo a2enmod头文件
编辑/etc/apache2/conf-available/security.conf文件,添加:
报头总是设置X-Content-Type-Options: nosniff
启动配置$ sudo a2enconf security.conf
重新启动Apache
$ sudo systemctl restart apache2
$ curl -I localhost
HTTP/1.1 200 OK
Date: Fri, 23 Oct 2020 06:12:16 GMT
Server:
X-Content-Type-Options: nosniff
Last-Modified: Thu, 22 Oct 2020 08:06:06 GMT
描述
Setting a server's X-Content-Type-Options HTTP response header to nosniff instructs browsers to disable content or MIME sniffing which is used to override response Content-Type headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some attacks listed below. Configuring your server to return the X-Content-Type-Options HTTP response header set to nosniff will instruct browsers that support MIME sniffing to use the server-provided Content-Type and not interpret the content as a different content type.
浏览器支持
在Chrome, Firefox和Edge以及其他浏览器中支持X-Content-Type-Options HTTP响应头。最新的浏览器支持可在Mozilla开发者网络(MDN)浏览器兼容性表X-Content-Type-Options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
攻击反击
MIME Confusion Attack enables attacks via user generated content sites by allowing users uploading malicious code that is then executed by browsers which will interpret the files using alternate content types, e.g. implicit application/javascript vs. explicit text/plain. This can result in a "drive-by download" attack which is a common attack vector for phishing. Sites that host user generated content should use this header to protect their users. This is mentioned by VeraCode and OWASP which says the following:
This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
Unauthorized Hotlinking can also be enabled by Content-Type sniffing. By hotlinking to sites with resources for one purpose, e.g. viewing, apps can rely on content-type sniffing and generate a lot of traffic on sites for another purpose where it may be against their terms of service, e.g. GitHub displays JavaScript code for viewing, but not for execution:
Some pesky non-human users (namely computers) have taken to "hotlinking" assets via the raw view feature -- using the raw URL as the src for a <script> or <img> tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we've been forced to block popular content served this way because it put excessive strain on our servers.
它阻止浏览器进行mime类型的嗅探。大多数浏览器现在都尊重这个头,包括Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50和Opera >= 13。看到的:
https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true
发送带有值的新的X-Content-Type-Options响应头
nosniff将防止Internet Explorer嗅探mime响应
远离声明的内容类型。
编辑:
哦,还有,那是一个HTTP头,不是HTML元标记选项。
参见:http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
X-Content-Type-Options HTTP响应报头是一个标记,服务器使用它来指示在Content-Type报头中发布的MIME类型不应该被更改,并且应该被遵循。这允许您选择退出MIME类型嗅探,或者换句话说,这是一种说网站管理员知道他们在做什么的方式。
语法:
X-Content-Type-Options: nosniff
指令:
nosniff
如果请求类型为,则阻塞请求
而MIME类型不是“text/css”,或者
而MIME类型不是JavaScript的MIME类型。
注意:nosniff只适用于“脚本”和“样式”类型。此外,将nosniff应用于图像也被证明与现有的网站不兼容。
规格:
https://fetch.spec.whatwg.org/#x-content-type-options-header