Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned #8231

ssthom · 2023-12-08T13:56:45Z

Similar to #8226

application/x-x509-ca-cert is the default response from our Spring-Boot application when there is an error like 404 and it was trying to get a cert file that doesn't exist: https://example.com/key.pem

But it is a valid response type when looking at https://www.iana.org/assignments/media-types/application/x-x509-ca-cert and https://datatracker.ietf.org/doc/html/rfc5280

4.2.1.1. CA Certificate Response Message Format
If the CA does not have any intermediate CA certificates, the response consists of a single X.509 CA certificate. The response will have a Content-Type of "application/x-x509-ca-cert".
"Content-Type: application/x-x509-ca-cert"

Steps to reproduce the behavior

Create spring-boot application
Scan a GET endpoint with ZAP, which will try with /key.pem
The report will have the "Unexpected Content-Type was returned" finding with application/x-x509-ca-cert

Screenshots

The text was updated successfully, but these errors were encountered:

thc202 added the Docker label Dec 8, 2023

ssthom linked a pull request Dec 8, 2023 that will close this issue

Add application/x-x509-ca-cert to expected API content types #8232

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned #8231

Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned #8231

ssthom commented Dec 8, 2023

Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned #8231

Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned #8231

Comments

ssthom commented Dec 8, 2023

Steps to reproduce the behavior

Screenshots