Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

WOFF not recognized as a Content Type

Daniel | Last updated: Jun 23, 2016 01:44PM UTC

Most of the times that I see the "Content type incorrectly stated" issue these days it is related to WOFF (Web Open Font Format). This is the issue text: "The response states that the content type is application/font-woff. However, it actually appears to contain unrecognized content." This gives "Severity: Low, Confidence: Firm". I see a couple of issues: 1. Burp should recognise WOFF v1 and v2 binary data and match it up against the application/font-woff MIME type (and possibly others). The magic headers are "wOFF" and "wOF2" respectively. 2. Burp should not give "Confidence: Firm" if the content is unrecognized, otherwise the issue will always crop up for formats that Burp doesn't recognise. The phrase "However, it actually appears to contain unrecognized content" doesn't really mean much. Thanks.

Burp User | Last updated: Jun 23, 2016 01:45PM UTC

(This is with version 1.7.03).

PortSwigger Agent | Last updated: Jun 24, 2016 08:48AM UTC

Thanks for this report. We agree with your assessment, and have captured a ticket in our backlog to improve Burp's recognition of common font formats.

Burp User | Last updated: Nov 16, 2018 06:25PM UTC

Just checked one WOFF file we serve with an online validator and it showed 109 passed tests and 1 note ("No metadata to test").

Burp User | Last updated: Nov 16, 2018 06:25PM UTC

Version 2.0.12beta here, still the same finding.

Liam, PortSwigger Agent | Last updated: Nov 19, 2018 10:18AM UTC

We still have this logged in our backlog.

Mike, PortSwigger Agent | Last updated: May 13, 2019 12:46PM UTC

Hi Floyd, thank you for the reminder. It appears to have gotten lost in our backlog of requests. We have notified the project manager for Burp Suite of this request for consideration in an upcoming release.

Burp User | Last updated: Dec 02, 2019 02:43PM UTC

Yearly reminder that this is probably one of the easiest false-positives Burp scanner could fix. All you need to do is check if the Content-Type is stated as font/woff and check if the response body starts with "wOFF" or "wOF2"... this problem is present on roughly every third website I encounter

Ben, PortSwigger Agent | Last updated: Jul 28, 2023 08:23AM UTC

Hi all, We just wanted to let you know that the recent 2023.7 release should now resolve this issue. Burp Scanner should no longer erroneously report a 'Content Type Incorrectly Stated' issue when scanning font files, or content types that Burp does not recognize.

floyd | Last updated: Oct 03, 2023 11:43AM UTC

Thanks Ben. Unfortunately it still reports it but different: The response states that the content type is font/woff2. However, it actually appears to contain a WOFF font. Content-Type: font/woff2 I get it on: https://fonts.bunny.net/nunito/files/nunito-latin-700-normal.woff2

Ben, PortSwigger Agent | Last updated: Oct 04, 2023 07:01AM UTC

Hi Floyd, Let us investigate this - we will get back to you in due course.

Ben, PortSwigger Agent | Last updated: Oct 10, 2023 09:37AM UTC

Hi Floyd, Just to keep you updated on this. We believe that there is a further issue with how this is working and we have raised a development ticket to investigate it. If we have any further news to share we will update this forum thread.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.