Insecure Content-Type Handling: XML Accepted for JSON Endpoints
What is the Vulnerability?
Data sent with the Content-Type: application/json header in JSON format is usually expected by modern web APIs. Some applications, on the other hand, are loosely configured and support Content-Type: application/xml for endpoints that are intended to consume JSON.
Accepting unexpected or inconsistent content types may appear innocuous at first, but it can pose security risks, particularly if the backend tries to parse or interpret XML input in an unexpected way.
Attackers may take advantage of client-side or server-side XML parsing vulnerabilities (such as XXE (XML External Entity injection), XEE (XML Entity Expansion), or data tampering) if an endpoint intended for JSON accepts and parses XML.
An attacker can more easily get around content inspection filters, carry out format confusion attacks, or misuse parsing logic to obtain private information.
Impact of this Vulnerability
Allowing incorrect or unexpected content types can lead to:
- Data Disclosure or Manipulation: XML parsing may interpret data differently or expose sensitive information through entity injection or recursive structures.
-
XML-specific Attacks: Attackers may exploit known XML parser vulnerabilities such as:
- XXE (XML External Entity Injection): Reading server files or making internal HTTP requests.
- DoS Attacks (Billion Laughs / Quadratic Blowup):Exploiting recursive XML structures to crash the server.
- Reduced API Predictability & Robustness: Accepting multiple content types increases the attack surface and makes the API behavior less deterministic.
- Content Sniffing & Injection Risks: Some clients or proxies may misinterpret the data type, leading to security or display issues.
