Skip to content

Update alert pages #3362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 31, 2025
Merged

Update alert pages #3362

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions site/content/docs/alerts/90011-1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: "Charset Mismatch (Header Versus Meta Content-Type Charset)"
alertid: 90011-1
alertindex: 9001101
alerttype: "Passive"
alertcount: 4
status: release
type: alert
risk: Informational
solution: "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."
references:
- https://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
other: "There was a charset mismatch between the HTTP Header and the META content-type encoding declarations: [UTF-8] and [ISO-123] do not match."
cwe: 436
wasc: 15
alerttags:
- CWE-436
- POLICY_PENTEST
- POLICY_QA_STD
- SYSTEMIC
code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java
linktext: "org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java"
help: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#id-90011
---
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.
27 changes: 27 additions & 0 deletions site/content/docs/alerts/90011-2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: "Charset Mismatch (Header Versus Meta Charset)"
alertid: 90011-2
alertindex: 9001102
alerttype: "Passive"
alertcount: 4
status: release
type: alert
risk: Informational
solution: "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."
references:
- https://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
other: "There was a charset mismatch between the HTTP Header and the META charset encoding declaration: [UTF-8] and [ISO-123] do not match."
cwe: 436
wasc: 15
alerttags:
- CWE-436
- POLICY_PENTEST
- POLICY_QA_STD
- SYSTEMIC
code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java
linktext: "org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java"
help: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#id-90011
---
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.
27 changes: 27 additions & 0 deletions site/content/docs/alerts/90011-3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: "Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)"
alertid: 90011-3
alertindex: 9001103
alerttype: "Passive"
alertcount: 4
status: release
type: alert
risk: Informational
solution: "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."
references:
- https://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
other: "There was a charset mismatch between the META charset and the META content-type encoding declaration: [UTF-8] and [ISO-123] do not match."
cwe: 436
wasc: 15
alerttags:
- CWE-436
- POLICY_PENTEST
- POLICY_QA_STD
- SYSTEMIC
code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java
linktext: "org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java"
help: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#id-90011
---
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.
27 changes: 27 additions & 0 deletions site/content/docs/alerts/90011-4.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
title: "Charset Mismatch"
alertid: 90011-4
alertindex: 9001104
alerttype: "Passive"
alertcount: 4
status: release
type: alert
risk: Informational
solution: "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."
references:
- https://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
other: "There was a charset mismatch between the HTTP Header and the XML encoding declaration: [UTF-8] and [ISO-123] do not match."
cwe: 436
wasc: 15
alerttags:
- CWE-436
- POLICY_PENTEST
- POLICY_QA_STD
- SYSTEMIC
code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java
linktext: "org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java"
help: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#id-90011
---
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.
31 changes: 14 additions & 17 deletions site/content/docs/alerts/90011.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,24 +3,21 @@ title: "Charset Mismatch"
alertid: 90011
alertindex: 9001100
alerttype: "Passive"
alertcount: 1
status: release
type: alert
risk: Informational
solution: "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."
references:
- https://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection
other: ""
cwe: 436
wasc: 15
alerttags:
- POLICY_PENTEST
- POLICY_QA_STD
- SYSTEMIC
type: alertset
alerts:
90011-1:
alertid: 90011-1
name: "Charset Mismatch (Header Versus Meta Content-Type Charset)"
90011-2:
alertid: 90011-2
name: "Charset Mismatch (Header Versus Meta Charset)"
90011-3:
alertid: 90011-3
name: "Charset Mismatch (Meta Charset Versus Meta Content-Type Charset)"
90011-4:
alertid: 90011-4
name: "Charset Mismatch"
code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java
linktext: "org/zaproxy/zap/extension/pscanrules/CharsetMismatchScanRule.java"
help: https://www.zaproxy.org/docs/desktop/addons/passive-scan-rules/#id-90011
---
This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.

An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.
3 changes: 3 additions & 0 deletions site/data/alerttags.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,9 @@ CWE-425:
CWE-434:
link: https://cwe.mitre.org/data/definitions/434.html

CWE-436:
link: https://cwe.mitre.org/data/definitions/436.html

CWE-472:
link: https://cwe.mitre.org/data/definitions/472.html

Expand Down