Python Accept Any Mime Header
Description
Detects insecure MIME type validation in Python HTTP clients where any content type is accepted without proper validation. This could allow attackers to send malicious content with misleading content types, potentially leading to MIME type confusion attacks.
Detection Strategy
• Identifies HTTP client requests that use methods like 'get', 'post', etc.
• Checks if the request is configured to accept any content type through header validation
• Verifies if the request originates from a client connection context
• Reports a vulnerability when request methods accept arbitrary MIME types without proper validation
Vulnerable code example
import requests
import urllib.request
# Unsafe: Using "*/*" in Accept header allows any content type, enabling content-type attacks
headers = {"Accept": "*/*"}
# Vulnerable HTTP request with unsafe headers
response = requests.get("https://api.example.com", headers=headers)...✅ Secure code example
import requests
import urllib.request
# Safe: Explicitly specify accepted content types to prevent content-type attacks
headers = {
"Accept": "application/json, text/plain", # Only accept specific content types
"Accept-Language": "en-US,en;q=0.9"
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.