Testing MIME Type Security

2 min read Web Security Fundamentals

Testing MIME Type Security

Manual Testing

# Test with curl
curl -I https://example.com/script.js | grep -i "content-type\|x-content-type-options"

# Test MIME type sniffing vulnerability
echo "<script>alert('XSS')</script>" > test.jpg
# Upload and verify browser doesn't execute it

# Check response headers for various file types
for ext in js css json xml jpg png pdf; do
    echo "Testing .$ext files:"
    curl -I https://example.com/test.$ext | grep -i "content-type\|x-content-type-options"
    echo ""
done

Automated Testing Script

const axios = require('axios');
const fs = require('fs').promises;

async function testMimeTypeSecurity(baseUrl) {
    const tests = [
        { path: '/script.js', expectedType: 'application/javascript' },
        { path: '/style.css', expectedType: 'text/css' },
        { path: '/data.json', expectedType: 'application/json' },
        { path: '/image.jpg', expectedType: 'image/jpeg' },
        { path: '/document.pdf', expectedType: 'application/pdf' }
    ];
    
    const results = [];
    
    for (const test of tests) {
        try {
            const response = await axios.head(baseUrl + test.path);
            const headers = response.headers;
            
            results.push({
                path: test.path,
                contentType: headers['content-type'],
                expectedType: test.expectedType,
                typeCorrect: headers['content-type']?.startsWith(test.expectedType),
                hasNoSniff: headers['x-content-type-options'] === 'nosniff',
                passed: headers['content-type']?.startsWith(test.expectedType) && 
                        headers['x-content-type-options'] === 'nosniff'
            });
        } catch (error) {
            results.push({
                path: test.path,
                error: error.message,
                passed: false
            });
        }
    }
    
    // Generate report
    console.log('MIME Type Security Test Results:');
    console.log('================================');
    results.forEach(result => {
        console.log(`${result.path}: ${result.passed ? 'PASS' : 'FAIL'}`);
        if (!result.passed) {
            console.log(`  Content-Type: ${result.contentType || 'Not set'}`);
            console.log(`  Expected: ${result.expectedType}`);
            console.log(`  X-Content-Type-Options: ${result.hasNoSniff ? 'Set' : 'Missing'}`);
        }
    });
    
    return results;
}

testMimeTypeSecurity('https://example.com');