# XSS in API via Content-Type Misconfiguration

This endpoint was intended to function as a JSON API for checking username availability. However, due to a misconfigured `Content-Type` header, the server responded with `text/html` instead of `application/json`. This allowed injected HTML/JavaScript payloads to be executed in the victim's browser.

### Impact

An attacker could craft a malicious URL containing JavaScript payloads. When a victim (e.g., an admin or another user) visits this URL, the script executes in the context of the vulnerable origin.

#### 1. Normal Request

```
GET /content-type/check.php?username=l1nuxkid HTTP/1.1
Host: something.l1nuxkid.dev
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
```

#### 2. Vulnerable Response

```
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 43

{
    "msg": "Good news, l1nuxkid is available!"
}
```

The response is **JSON data** but sent as **HTML**.

<figure><img src="/files/W3ag0zVFgNcDhG6cj4sf" alt=""><figcaption></figcaption></figure>

#### Injecting XSS Payload

```
GET /content-type/check.php?username=l1nuxkid<img src=x onerror=print()> HTTP/1.1
```

The browser parses this as HTML and executes `print()`.

**The Bug:** The server sends the response with the header `Content-Type: text/html; charset=UTF-8` instead of `application/json`.

**Why it’s a bug:** The server is mislabeling structured data (JSON) as a web page (HTML).

#### Fix Recommendation

* Set Correct Content-Type
* Encode Output Properly
* Use JSON\_HEX\_TAGS (if using PHP)<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/ctftime.org-writeups/xss-in-api-via-content-type-misconfiguration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.