Skip to main content

Insecure or unset HTTP headers - Accept

Description#

The application does not set the Accept header or allows any MIME type in the requests. An attacker could abuse this feature to cause unexpected behaviors when the application interprets incorrect content-types.

Impact#

Lead to unexpected behaviors due to content type misinterpretations

Recommendation#

  • Set the Accept Header in client requests.
  • Define explicitly the allowed content types for the application
  • Deny all request that contain a content type different from the expected by the application.

Threat#

Anonymous attacker from the Internet

Score#

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base#

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal#

  • Exploit code madurity: U
  • Remediation level: U
  • Report confidence: R

Result#

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:R
  • Score:
    • Base: 3.7
    • Temporal: 3.3
  • Severity:
    • Base: Low
    • Temporal: Low

Requirements#