Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

False positives

Chris Nov 13, 2019 02:43PM UTC

I am getting too many false positives of "Content type incorrectly stated" vulnerability all the time. My last occurence is:

'''The response states that the content type is font/x-woff. However, it actually appears to contain unrecognized content.'''

The response starts with wOFF and some binary stuff is following. When issue the "file" command on that it says: Web Open Font Format, TrueType, length 83760, version 1.0

What method do you use to determine the response type??


Mike Eaton Nov 19, 2019 01:11PM UTC Support Center agent

Hi Chris, Would you be able to send the generated report of one of those reported vulnerabilities to support@portswigger.net?

Looking at your specified content type, ‘font/x-woff’ is non standard (https://www.iana.org/assignments/media-types/media-types.xhtml#font). This could be why Burp is flagging it as a ‘incorrect’ MIME type.


Post Your public answer

Your name
Your email address
Answer