Http Content Type Header Missing
Description
This detector identifies responses that contain content but are missing the Content-Type header, which can lead to content sniffing attacks where browsers guess the MIME type and potentially execute malicious content. The vulnerability is particularly dangerous when the response is not explicitly marked as a downloadable attachment.
Detection Strategy
• The HTTP response contains non-empty content (body is not just whitespace)
• The Content-Type header is completely missing from the response
• Either no Content-Disposition header is present, or if present, it does not contain 'attachment' (case-insensitive)
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.