Exercise – noSniff Playground

1. Introduction

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing.

• Please start the nosniff demo service from RESOURCES
• Load and analyze the page with ZAP, BURP or your built-in developer tools

Please describe what you have learned by analyzing the nosniff demo service

2. Analysis

By running the nosniff demo service I take notice that 4 scripts got blocked and 4 scripts show a popup window.
By opening the developers tools in chrome I can see the following blocking message in the console window:

type (‚text/plain‘) is not executable, and strict MIME type checking is
enabled.

type (‚application/json‘) is not executable, and strict MIME type checking
is enabled.

type (‚text/xml‘) is not executable, and strict MIME type checking is
enabled.

type (‚text/json‘) is not executable, and strict MIME type checking is
enabled.

Let’s have quick look with zap:

All URLs with X-Content-Type-Options: nosniff got blocked, those without that header got executed.

3. Summary

nosniff

Blocks a request if the request destination is of type:

• "style" and the MIME type is not text/css, or
• "script" and the MIME type is not a JavaScript MIME type

Enables Cross-Origin Read Blocking (CORB) protection for the MIME-types:

• text/html
• text/plain
• text/json, application/json or any other type with a JSON extension: /+json

PDF Report:
srh#1