MIME Types of script tag (for XSS)

XSS 테스트 도중에 이런 케이스가 있었는데, 실행이 안됬었습니다..

https://gph.is/1yw44rd

[ Request ]

?param=alert(45)/*PLAINTEXT*/

[ Response ]

<script type=“secret!">alert(45)/*
PLAINTEXT
*/</script>

Console 봐도 따로 에러도 안뜨고 … 이상했죠. 좀 뒤적뒤적 찾아보니 script tag에서 허용 가능한 MIME Type이 아니라서 발생한 문제였습니다. (노리고 구현한건가….)

<script type="hahwul">alert(45)</script>

  <script type="application/ecmascript">console.log('1 - application/ecmascript');</script>
  <script type="application/x-javascript">console.log('2 - application/x-javascript');</script>
  <script type="text/javascript">console.log('3 - text/javascript');</script>
  <script type="">console.log('4 - blank');</script>
  <script >console.log('5 - none');</script>
  <script type="module">console.log('6 - module');</script>
  <script type="hahwul">console.log('7 - hahwul...zz');</script>

custom한 type은 동작하지 않습니다.

이외에도 몇개 더 있는데 허용된 MIME 타입을 보면 이렇습니다.

  +-----------------------------------------------------+
  | text/javascript          | text/ecmascript          |
  | text/javascript1.0       | text/javascript1.1       |
  | text/javascript1.2       | text/javascript1.3       |
  | text/javascript1.4       | text/javascript1.5       |
  | text/jscript             | text/livescript          |
  | text/x-javascript        | text/x-ecmascript        |
  | application/x-javascript | application/x-ecmascript |
  | application/javascript   | application/ecmascript   |
  +-----------------------------------------------------+

Javascript MIME Types in RFC

MIME Type에 대한 내용은 RFC 문서에 정의되어 있습니다. 물론, RFC 문서 상 데이터가 전부는 아니고 module 같이 특수한 경우도 추가로 더 있습니다. 참고 정도로 보시면 좋을듯하니다. http://www.rfc-editor.org/rfc/rfc4329.txt

7.  JavaScript Media Types

7.1.  text/javascript (obsolete)

   Type name:               text
   Subtype name:            javascript
   Required parameters:     none
   Optional parameters:     charset, see section 4.1.
   Encoding considerations:
      The same as the considerations in section 3.1 of [RFC3023].

   Security considerations: See section 5.
   Interoperability considerations:
      None, except as noted in other sections of this document.

   Published specification: [JS15]
   Applications which use this media type:
      Script interpreters as discussed in this document.

   Additional information:

      Magic number(s):             n/a
      File extension(s):           .js
      Macintosh File Type Code(s): TEXT

   Person & email address to contact for further information:
      See Author's Address section.

   Intended usage:          OBSOLETE
   Restrictions on usage:   n/a
   Author:                  See Author's Address section.
   Change controller:       The IESG.

7.2.  application/javascript

   Type name:               application
   Subtype name:            javascript
   Required parameters:     none
   Optional parameters:     charset, see section 4.1.
   Encoding considerations:
      The same as the considerations in section 3.2 of [RFC3023].

   Security considerations: See section 5.
   Interoperability considerations:
      None, except as noted in other sections of this document.

   Published specification: [JS15]
   Applications which use this media type:
      Script interpreters as discussed in this document.

   Additional information:

      Magic number(s):             n/a
      File extension(s):           .js
      Macintosh File Type Code(s): TEXT

   Person & email address to contact for further information:
      See Author's Address section.

   Intended usage:          COMMON
   Restrictions on usage:   n/a
   Author:                  See Author's Address section.
   Change controller:       The IESG.

etc….

Reference

http://www.rfc-editor.org/rfc/rfc4329.txt https://developer.mozilla.org/ko/docs/Web/HTTP/Basics_of_HTTP/MIME_types