[WEB SECURITY] countermeasure against attacks through HTML shared files

Bil Corry bil at corry.biz
Fri Nov 7 11:49:55 EST 2008

fcorella at pomcor.com wrote on 11/6/2008 11:01 PM: 
> I have not been able to find much prior work.
> What I've found is discussed in Section 2 of the
> paper.  If I've missed something, please let me
> know.

Thank you for the paper!  Some related thoughts:

(1) Google offers advice on how to serve untrusted files for downloading:


Granted, it doesn't seem to be working for them:


(2) IE8 offers a new header to prevent this type of attack by forcing the user to download the file to disk, thus preventing the file from running in the context of your site:

	X-Download-Options: noopen

(3) Internet Explorer (and other browsers to some extent) do content-sniffing, so a file doesn't have to be explicitly HTML in order for Internet Explorer to display the file as HTML (for example, the file can be a GIF, but still by shown as HTML by IE).

More info:


IE8 now offers a header to turn this behavior off (doesn't help for IE6 or IE7):

	X-Content-Type-Options: nosniff

(4) GIFAR - Looks like an GIF, but runs as a Java Applet:


- Bil

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list