User Controllable Charset

This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the <meta> element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page.

When an attacker can control the character encoding of a response, they can force the browser to interpret the page using encodings like UTF-7 that allow bypassing XSS filters. By declaring UTF-7 through a manipulated meta tag or Content-Type header, an attacker can encode malicious scripts that evade server-side detection but execute when the browser interprets the content. This effectively neutralizes many XSS protections and allows arbitrary JavaScript execution in the victim’s browser.

Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used.