Configuration Management / Multiple Content Types Specified

Description

Multiple content types specified (CWE-20) is a vulnerability which occurs when a web application or API is configured to accept multiple content types, but not all content types are valid or secure. This vulnerability may lead to attacks such as Cross-Site Scripting (XSS), SQL injection, and other malicious activities. According to the OWASP Testing Guide, this vulnerability is caused by a lack of content-type validation, which allows malicious users to submit requests with invalid content types.

Risk

This vulnerability has a medium risk rating according to the Common Vulnerability Scoring System (CVSS). It may allow attackers to access sensitive data or take control of the system by exploiting the application’s content-type validation.

Solution

The best solution to this vulnerability is to ensure that only valid and secure content types are accepted. This can be done by validating the content-type of the request and rejecting any requests with invalid content types. Additionally, it is good practice to implement rate limiting to prevent malicious users from sending a large number of requests with invalid content types.