| Details | |
|---|---|
| Alert ID | 90011 |
| Alert Type | Passive |
| Status | release |
| Risk | Informational |
| CWE | 436 |
| WASC | 15 |
| Technologies Targeted | All |
| Tags | |
| More Info |
Scan Rule Help |
Summary
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there’s a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content’s correct character set.
An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.