4

I've come across an API of a web application I'm testing, which reflects with unescaped, unencoded, user-controlled data for some requests. However, the response includes the header Content-Type: application/json;charset=UTF-8.

The response body is simply a JSON, like the following:

{"name":"foo","title":"bar"}

I did try to perform a simple XSS (classic <script>alert(1)</script>), but the script isn't executed.

{"name":"<script>alert(1)</script>","title":"bar"}

I've read through this question, but they do not seem to discuss the impact of the content-type header. OWASP seems to flag the reponse-type as "good" in this article.

My question is if the Content-Type header in the response has an impact on the exploitability of XSS and possibly other vulnerabilities?

SaAtomic
  • 989
  • 2
  • 15
  • 27

1 Answers1

5

My question is if the Content-Type header in the response has an impact on the exploitability of XSS and possibly other vulnerabilities?

Yes, the content type makes a difference. XSS only applies to documents that are capable of running active (script) content in the first place.

A page with the MIME type application/json can't contain active content. To the browser it's just data. The situation would be similar with text/plain, text/javascript, image/jpeg, etc.

XSS would be possible with a MIME type of e.g. text/html, image/svg+xml, text/xml and many others. In some cases, vendor-related types such as application/x-shockwave-flash may have an XSS potential, too.

Arminius
  • 43,922
  • 13
  • 140
  • 136