zaproxy Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned

Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned

Open ssthom opened this issue 1 year ago • 0 comments

Similar to https://github.com/zaproxy/zaproxy/issues/8226

application/x-x509-ca-cert is the default response from our Spring-Boot application when there is an error like 404 and it was trying to get a cert file that doesn't exist: https://example.com/key.pem

But it is a valid response type when looking at https://www.iana.org/assignments/media-types/application/x-x509-ca-cert and https://datatracker.ietf.org/doc/html/rfc5280

4.2.1.1. CA Certificate Response Message Format If the CA does not have any intermediate CA certificates, the response consists of a single X.509 CA certificate. The response will have a Content-Type of "application/x-x509-ca-cert". "Content-Type: application/x-x509-ca-cert"

Steps to reproduce the behavior

Create spring-boot application
Scan a GET endpoint with ZAP, which will try with /key.pem
The report will have the "Unexpected Content-Type was returned" finding with application/x-x509-ca-cert

Screenshots

Dec 08 '23 13:12 ssthom

zaproxy zaproxy copied to clipboard

Add application/x-x509-ca-cert to avoid Unexpected Content-Type being returned

Steps to reproduce the behavior

Screenshots

zaproxy
zaproxy copied to clipboard