content-type-mime-diff
OfficialIdentify and exploit MIME parser XSS differentials
System Documentation
What problem does it solve?
Divergent MIME Content-Type parsing logic between web browsers (which treat the header as list-based, last value wins) and server-side libraries (which treat it as singleton, first value wins) creates cross-site scripting (XSS) vulnerabilities in applications that validate the parsed Content-Type server-side but reflect the original unparsed header value in responses.
Core Features & Use Cases
- Root Cause Breakdown: Explains the RFC 9110 specification conflict and parsing behavior differences across browsers and server-side libraries.
- Payload Library: Includes tailored payloads for common Python (email.message, googleapiclient.mimeparse, werkzeug, cgi) and Node.js (whatwg-mimetype, content-type) MIME parsers to bypass validation checks.
- Testing Framework: Provides step-by-step testing procedures, examples of vulnerable code patterns, and indicators of at-risk endpoints to streamline vulnerability identification.
- Use Case: Security testers can leverage this skill during authorized web application assessments to identify XSS flaws arising from MIME parser differentials.
Quick Start
Use this skill to test a web endpoint that reflects user-controlled Content-Type header values for XSS via MIME parser differentials.
Dependency Matrix
Required Modules
None requiredComponents
Standard package💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: content-type-mime-diff Download link: https://github.com/dreadnode/capabilities/archive/main.zip#content-type-mime-diff Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.