Making the Unexploitable Exploitable with X-Mixed-Replace on Firefox
Published: Fri, 25 Apr 2025 21:47:09 GMT
Updated: Fri, 25 Apr 2025 21:47:09 GMT
In this post, we’ll look at an interesting difference in how Firefox and Chrome handle the multipart/x-mixed-replace content type. While Chrome treats it as an image, Firefox renders it as HTML - something that can have implications for security. If you have reflected input somewhere in a page, such as inside an HTML attribute, but can’t break out of it directly, controlling the content type and abusing the way boundaries are handled might be enough to turn an otherwise non-exploitable XSS into a real one.
The multipart/x-mixed-replace content type behaves quite differently in Firefox, and not in ways you'd expect. Firefox is surprisingly lenient about what qualifies as a boundary - you can even use something like a <script> tag, and it won’t complain. These boundaries define where the browser should start rendering the next chunk of content, and that’s where things get interesting: everything before the boundary is discarded.
Consider the following HTML:
<!doctype html> <html> <body> <img id="reflection<iframe onload=alert(1)>"> </body> </html>
Normally, the <iframe> isn’t rendered because it’s stuck inside an id attribute, where it's treated as a harmless string. But if you inject a boundary inside that id, and you control the content type, Firefox will start rendering from the boundary itself. That means the <iframe> suddenly becomes active HTML. Even better, boundaries rely on newlines which are rarely filtered.
Here's what an exploit looks like:
<?php header('Content-Type: multipart/x-mixed-replace; boundary=foo'); ?> <!doctype html> <html> <body> <img id=" foo <iframe onload=alert(1)> "> </body> </html>
The preceding example uses foo as a boundary in the content type header. The new lines are all that's needed inside the attribute for the boundary to be valid, you don't even need a closing boundary. The image is discarded and everything after the boundary is rended which means the iframe is and the event executes! You can view this online here:
Hope you enjoyed this post.