Javascript Accepts Wildcard Mime
Description
Detects when JavaScript code accepts content with unrestricted MIME types (using wildcards like */*, */*;q=0.8). This creates security risks as it allows processing of untrusted content types that could lead to XSS or content injection attacks.
Detection Strategy
• Check JavaScript HTTP client configurations and request headers for 'Accept: */*' patterns
• Identify code that sets or allows wildcard MIME types in content type validations
• Look for AJAX or fetch API calls that don't properly restrict accepted content types
• Flag instances where content type checks are missing or allow arbitrary MIME types
Vulnerable code example
const axios = require('axios');
import { $ } from 'jquery';
async function unsafeRequests() {
// Dangerous: Accept: "*/*" allows any content type, enabling MIME sniffing attacks
const dangerousHeaders = { Accept: "*/*" };
// Vulnerable: Setting unsafe Accept header globally...✅ Secure code example
const axios = require('axios');
import { $ } from 'jquery';
async function safeRequests() {
// Safe: Explicitly specify expected content type to prevent MIME sniffing
const safeHeaders = {
Accept: 'application/json',
'Content-Type': 'application/json'...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.