using watcher I've found a possible high vulnerability on my web site :
User Controllable Charset
The page at the following URL:
1) a(n) 'Content-Type' tag 'UTF-8' attribute
The user input found was:
The context was:
Content-Type HTTP header
Why is it high? How can I try to exploit the web application with this leak?
Apr 17, 2009 at 7:00 AM
Edited Apr 17, 2009 at 7:00 AM
Hi AlfonsO, there have been many examples of cross-site scripting attacks that leverage user-control over the HTML's character encoding, or charset value. This doesn't mean your application has a vulnerability, but it was flagged as high-severity because
an attacker has gained a significant control over the content, and how the browser renders it.
For this to be exploitable, the attacker would need to control some other data in the page's content. They could set the charset value to UTF-7 and inject a small fragment of UTF-7 encoded script in the page. You can find some good examples of this pattern
on Yosuke Hasegawa's page at
If they don't have any more control, then you could ignore this warning.