Skip to main content

Use octet stream downloads


The system should download files coming from untrusted sources, such as user-uploaded files, using octet stream downloads.


User-uploaded files should generally be considered to be untrusted input. If the appropriate Content Security Policy is not set when opening a file, browsers may render it and interpret potentially malicious code. Therefore, user-uploaded files should be served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. This reduces the risk of XSS vectors or other attacks from the uploaded file.


  • CAPEC-19: Embedding Scripts within Scripts: An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The adversary leverages this capability to execute their own script by embedding it within other scripts that the target software is likely to execute. The adversary must have the ability to inject their script into a script that is likely to be executed.

  • CAPEC-165: File Manipulation: An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application.

  • CWE-646: Reliance on File Name or Extension of Externally-Supplied File: The software allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

  • CWE-1021: Improper Restriction of Rendered UI Layers or Frames: The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

  • OWASP Top 10 A1:2017-Injection: Injection flaws, such as SQL, NoSQL, OS and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  • OWASP Top 10 A7:2017-Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

  • OWASP-ASVS v4.0.1 V1.12 Secure File Upload Architectural Requirements.(1.12.2): Verify that user-uploaded files, if required to be displayed or downloaded from the application, are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. Implement a suitable content security policy to reduce the risk from XSS vectors or other attacks from the uploaded file.

  • OWASP-ASVS v4.0.1 V12.5 File Download Requirements.(12.5.2): Verify that direct requests to uploaded files will never be executed as HTML/JavaScript content.

  • OWASP-ASVS v4.0.1 V14.4 HTTP Security Headers Requirements.(14.4.3): Verify that a content security policy (CSPv2) is in place that helps mitigate impact for XSS attacks like HTML, DOM, JSON, and JavaScript injection vulnerabilities.

  • PCI DSS v3.2.1 - Requirement 6.5.7: Address common coding vulnerabilities in software-development processes such as cross-site scripting (XSS).