Charset Mismatch

Type: Passive Scan


This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.


Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML.



Last updated: 2020-04-30 16:12:39.623Z