Configuration Management / HTML Does Not Specify Charset

Description

HTML does not specify charset is a configuration management vulnerability (CWE-721) which occurs in web and API applications. This vulnerability does not specify a charset in the header of a web page, which can lead to the page being interpreted with the wrong encoding. This can lead to unexpected characters being displayed, incorrect data being displayed, or data being corrupted or lost. This can lead to denial of service, information disclosure, and other security issues (OWASP Testing Guide, 2021).

Risk

The risk associated with HTML not specifying charset is high because it leaves the web application open to malicious attack. If the wrong charset is used, the attacker can use that to gain access to sensitive data, or execute malicious code on the application. If the charset is not specified, the attacker may be able to manipulate the web application or system, leading to a denial of service attack or other malicious activities.

Solution

The best solution to this vulnerability is to ensure that the charset is always specified in the header of a web page. This can be done manually, or with the use of a security plugin or library. The charset should be specified for all HTML documents, and the encoding should be set to UTF-8. It is also important to ensure that the charset is specified in the HTTP header as well.