The OWASP Application Security Verification Standard (ASVS), Version 3, states in clause V11.2:
Verify that every HTTP response contains a content type header specifying a safe character set (e.g.,
UTF-8,ISO 8859-1).
What would be the threat of neglecting this requirement, and how could this be exploited?
Decrease client-side attacks.
For example : If the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following. for example (UTF-7 encoding):
+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-
And It Is hard to Prevent XSS Attacks
more info : XSS with utf-7
The 2008 paper from Blake Franz of Leviathan Security -- http://www.leviathansecurity.com/white-papers/flirting-with-mime-types -- identifies some of the original problem spaces with character sets.
Some tools correctly identify and explain this problem, such as Burp Suite Professional -- https://portswigger.net/KnowledgeBase/Issues/Details/00800200_HTMLdoesnotspecifycharset
You will see mention of character sets in the OWASP Testing Guides on Stored XSS:
This design flaw can be exploited in browser MIME mishandling attacks. For instance, innocuous-looking files like JPG and GIF can contain an XSS payload that is executed when they are loaded by the browser. This is possible when the MIME type for an image such as image/gif can instead be set to text/html. In this case the file will be treated by the client browser as HTML.
Also consider that Internet Explorer does not handle MIME types in the same way as Mozilla Firefox or other browsers do. For instance, Internet Explorer handles TXT files with HTML content as HTML content. For further information about MIME handling, refer to the whitepapers section at the bottom of this chapter.
Further information can be found on the Wikipedia page under Charset Sniffing -- https://en.wikipedia.org/wiki/Content_sniffing
