我用OWASP ZAP在我的本地主机上做了一些渗透测试,它一直报告这条消息:
反mime嗅探报头X-Content-Type-Options未设置为
“nosniff”
此检查仅针对ie8和谷歌Chrome浏览器。
确保每个页面都设置了内容类型标头和
X-CONTENT-TYPE-OPTIONS,如果Content-Type头未知
我不知道这是什么意思,我在网上也找不到任何信息。我试着补充:
<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />
但我还是收到了警报。
参数的正确设置方法是什么?
再详细说明一下元标签。我听过一个演讲,其中有一个声明,人们应该总是在html中插入“no-sniff”元标签,以防止浏览器嗅探(就像OP所做的那样):
<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />
然而,对于w3c兼容的网站来说,这不是一个有效的方法,验证器将引发一个错误:
Bad value text/html; charset=UTF-8; X-Content-Type-Options=nosniff for attribute content on element meta: The legacy encoding contained ;, which is not a valid character in an encoding name.
这个问题是无法解决的。要正确地关闭no-sniff,你必须去服务器设置并在那里关闭它。因为“no-sniff”选项来自HTTP报头,而不是HTTP响应中附加的HTML文件。
要检查no-sniff选项是否被禁用,可以启用开发人员控制台,网络选项卡,然后检查HTTP响应报头:
再详细说明一下元标签。我听过一个演讲,其中有一个声明,人们应该总是在html中插入“no-sniff”元标签,以防止浏览器嗅探(就像OP所做的那样):
<meta content="text/html; charset=UTF-8; X-Content-Type-Options=nosniff" http-equiv="Content-Type" />
然而,对于w3c兼容的网站来说,这不是一个有效的方法,验证器将引发一个错误:
Bad value text/html; charset=UTF-8; X-Content-Type-Options=nosniff for attribute content on element meta: The legacy encoding contained ;, which is not a valid character in an encoding name.
这个问题是无法解决的。要正确地关闭no-sniff,你必须去服务器设置并在那里关闭它。因为“no-sniff”选项来自HTTP报头,而不是HTTP响应中附加的HTML文件。
要检查no-sniff选项是否被禁用,可以启用开发人员控制台,网络选项卡,然后检查HTTP响应报头:
它阻止浏览器进行mime类型的嗅探。大多数浏览器现在都尊重这个头,包括Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50和Opera >= 13。看到的:
https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true
发送带有值的新的X-Content-Type-Options响应头
nosniff将防止Internet Explorer嗅探mime响应
远离声明的内容类型。
编辑:
哦,还有,那是一个HTTP头,不是HTML元标记选项。
参见:http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
X-Content-Type-Options HTTP响应报头是一个标记,服务器使用它来指示在Content-Type报头中发布的MIME类型不应该被更改,并且应该被遵循。这允许您选择退出MIME类型嗅探,或者换句话说,这是一种说网站管理员知道他们在做什么的方式。
语法:
X-Content-Type-Options: nosniff
指令:
nosniff
如果请求类型为,则阻塞请求
而MIME类型不是“text/css”,或者
而MIME类型不是JavaScript的MIME类型。
注意:nosniff只适用于“脚本”和“样式”类型。此外,将nosniff应用于图像也被证明与现有的网站不兼容。
规格:
https://fetch.spec.whatwg.org/#x-content-type-options-header
描述
Setting a server's X-Content-Type-Options HTTP response header to nosniff instructs browsers to disable content or MIME sniffing which is used to override response Content-Type headers to guess and process the data using an implicit content type. While this can be convenient in some scenarios, it can also lead to some attacks listed below. Configuring your server to return the X-Content-Type-Options HTTP response header set to nosniff will instruct browsers that support MIME sniffing to use the server-provided Content-Type and not interpret the content as a different content type.
浏览器支持
在Chrome, Firefox和Edge以及其他浏览器中支持X-Content-Type-Options HTTP响应头。最新的浏览器支持可在Mozilla开发者网络(MDN)浏览器兼容性表X-Content-Type-Options:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
攻击反击
MIME Confusion Attack enables attacks via user generated content sites by allowing users uploading malicious code that is then executed by browsers which will interpret the files using alternate content types, e.g. implicit application/javascript vs. explicit text/plain. This can result in a "drive-by download" attack which is a common attack vector for phishing. Sites that host user generated content should use this header to protect their users. This is mentioned by VeraCode and OWASP which says the following:
This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
Unauthorized Hotlinking can also be enabled by Content-Type sniffing. By hotlinking to sites with resources for one purpose, e.g. viewing, apps can rely on content-type sniffing and generate a lot of traffic on sites for another purpose where it may be against their terms of service, e.g. GitHub displays JavaScript code for viewing, but not for execution:
Some pesky non-human users (namely computers) have taken to "hotlinking" assets via the raw view feature -- using the raw URL as the src for a <script> or <img> tag. The problem is that these are not static assets. The raw file view, like any other view in a Rails app, must be rendered before being returned to the user. This quickly adds up to a big toll on performance. In the past we've been forced to block popular content served this way because it put excessive strain on our servers.