If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks.
This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value can declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker can bypass any server-side XSS protections and embed script in the page.
Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used.
Run our automated penetration testing and vulnerability assessment to protect your web application from hackers.
The web/application server is leaking information via one or more “X-Powered-By” HTTP response headers.