WAF 392301

From Atomicorp Wiki
Jump to: navigation, search

Rule ID



Active rule currently published.

Alert Message

Atomicorp.com WAF Rules: Request Containing Content, but Missing Content-Type header


This rule detects when a request is made using an improper method. By default, if a request body is sent it must define its Content-Type so the backend application knows how to handle it. The WAF also needs to understand the Content-Type. he WAF works by inspecting content based on the "type" defined by the request. This of this as a foreign language. The WAF needs to understand the type to be able to properly inspect its contents.

Attacks use this method to get past WAFs by not defining the Content-Type, so the WAF has to guess what its reading. The attacker relies on this and that the WAF will assume its reading one content type, when another content type is being used. This can be used to bypass the WAF entirely.

This rule prevents this method. Any application that causes this to occur should be fixed to define its Content-Type.

False Positives

A false positive can occur when an application legitimately does not set the Content-Type. However, this should never be allowed. All request bodies should define the Content-Type, and there is no reason for an application to not do this. We highly recommend you do not disable this rule, and rather fix the application.

If you believe this is a false positive, that is the application is defining a Content-Type, please report this to our security team to determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the Reporting False Positives wiki page. If it is a false positive, we will fix the issue in the rules and get a release out to you promptly.

Tuning Guidance

If you know that this behaviour is acceptable for your application, please see the Tuning the Atomicorp WAF Rules page for basic information.

Similar Rules


Knowledge Base Articles


Outside References


Personal tools