Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for Unexpected Content-Type was returned

HawkScan Test Info for Unexpected Content-Type was returned

Unexpected Content-Type was returned

Reference

Plugin Id: 100001

Remediation

To remediate the vulnerability of “Unexpected Content-Type was returned,” you can take the following steps:

  1. Validate the expected Content-Type: Ensure that the server is returning the expected Content-Type for API responses. This can be done by checking the server-side code that generates the response and verifying that it sets the appropriate Content-Type header. For example, in a Node.js application using Express, you can set the Content-Type header like this:

    res.setHeader('Content-Type', 'application/json');

    Make sure to set the correct Content-Type based on the expected response format (e.g., application/json for JSON responses).

  2. Implement strict Content-Type checking: Modify the server-side code to perform strict Content-Type checking. This means that the server should only accept and process requests with the expected Content-Type. For example, in a Java Spring application, you can use the consumes attribute in the request mapping to specify the expected Content-Type:

    @RequestMapping(value = "/api/endpoint", method = RequestMethod.POST, consumes = "application/json")

    This ensures that only requests with the Content-Type of “application/json” will be accepted.

  3. Implement response validation: On the client-side, validate the Content-Type of the response received from the server. If the Content-Type is unexpected, handle it as an error or raise an alert. This can be done using appropriate programming language constructs or libraries. For example, in JavaScript, you can check the Content-Type header of a response using the getResponseHeader method:

    if (xhr.getResponseHeader('Content-Type') !== 'application/json') {
  // Handle unexpected Content-Type
}

About

The vulnerability “Unexpected Content-Type was returned” occurs when the server returns a Content-Type that is not one of the expected types for an API. APIs typically have specific Content-Type expectations, such as “application/json” for JSON responses or “application/xml” for XML responses. When the server returns an unexpected Content-Type, it can indicate a misconfiguration or a potential security issue.

This vulnerability is raised by the “Alert on Unexpected Content Types” script, which monitors the Content-Type of API responses and alerts when an unexpected type is detected.

Risks

The risks associated with the vulnerability of “Unexpected Content-Type was returned” include:

  • Data integrity issues: If the server returns an unexpected Content-Type, it may indicate that the response data is not in the expected format. This can lead to data integrity issues, as the client may not be able to correctly parse or process the response.

  • Security vulnerabilities: An unexpected Content-Type can be an indication of a security vulnerability. Attackers may attempt to exploit this vulnerability by manipulating the Content-Type header to bypass security controls or inject malicious content.

  • Application instability: If the server consistently returns unexpected Content-Types, it can cause instability in the client application. The application may not be able to handle the unexpected types correctly, leading to crashes, errors, or unexpected behavior.