Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The
Content-Typeresponse header is used to tell the browser how to render a file. This page is a list ofContent-Typeheader with the format they render that can be used for XSS. It even has a list of browsers that this works on. - Many of the types are obvious like
text/htmlas an HTML format. There are even weirder ones referenced too, liketext/xslbeing rendered as HTML. - A space,
,and;can all used as Mime Type separators. For instance,text/plain; x=x, text/htmlis a valid HTML format when rendered by the browser. - Additionally,
(and 0x9 are able to be used as separators. For instance,text/html(xxxis a valid content type that will be render as HTML. - A comma can also be used for multiple content types. Typically, the last one is the content type processed.
- My personal favorite part is that they have links of each content type to a website that will prove that this works on the spot. Amazing and simple resource that I love.
