Content-Type juggling
Theory
Content-Type juggling exploits the lack of checking on the Content-Type header when submitting an HTTP request.
Most of the time, Content-Type juggling is a way to carry out other attacks such as unrestricted-file-upload or xxe-injection (see examples).
The Content-Type header is used to indicate the MIME type of the resource.
In requests, (such as
POSTorPUT), the client tells the server what type of data was actually sent.In responses, a
Content-Typeheader tells the client what type of content is actually being returned. Browsers may try to detect the MIME type of content by inspecting it rather than by respecting the value of this header.
If the XCTO (X-Content-Type-Options) security header is present, it will be difficult to perform the Content-Type juggling, as indicated in mime-sniffing. The XCTO security header can be used to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed by the browser depending on the page's content. Websites that implement this security header with the nosniff directive must also include a valid Content-Type header in their responses.
Practice
Identify a target vulnerable to Content-Type juggling
In order to identify if the target is vulnerable to Content-Type juggling, testers need to answer the following questions :
Is there a post request with value(s) and
Content-Typeheader ?Is the
X-Content-Type-Optionssecurity header not present ?Can the
Content-Typeheader be edited, and thePOSTrequest still be submitted successfully ?
If the answer is yes to the questions above, then one should be able to perform Content-Type juggling and might find a way to perform other attacks as a result:
If one can switch to
application/xml, XXE should be tried.If one can switch to
application/zip, uploading malicious zip file should be tried.If one can switch to
application/php, uploading PHP payloads should be tried.If one can switch to
application/image, uploading malicious image should be tried.
One should not stick to this list and always try several Content-Type values.
Example attacks
PHP payload upload and RCE
Let's take this POST request following the submit of a form. Two Content-Type headers can be seen, the second one is interesting since an attacker could be juggling the content-type to upload a malicious PHP file.
The attacker is able to upload a PHP webshell thanks to the Content-Type juggling, changing it from text/plain to application/php
Bypass a WAF
Sometimes, the Content-Type header has an additional field: charset=<value>.
In this context, an attacker can try to edit the charset (e.g. from utf-8 to utf-7) to bypass security controls such as Web Application Firewalls (WAFs), or regular expressions that check the value of a form. This technique cannot bypass the impact of the XCTO security header though (see the Theory part).
Below is an example where an attacker is able to perform Content-Type juggling but is getting blocked by a WAF. To bypass it, "charset juggling" can be performed.
API attack, leading to XXE
In the following request, the application normally sends JSON content (Content-Type: application/json).
If the target is vulnerable to Content-Type juggling and XXE, an attacker could attempt to modify the content-type header to application/xml and put some malicious XML to exploit an XXE.
By combining Content-Type juggling with another attack, it's possible to extract information from the target (more about it in XXE injection).
For more insight on this attack, refer to the writeup of the web challenge "BNV" from Google CTF 2019, by Nicholaz99.
Resources
Last updated
Was this helpful?