JSON code execution test-bed
Scroll down to see all examples.
Content-Type only
| text/html | |
| application/json | |
| text/json | |
| text/plain | |
| application/octet-stream | |
| empty | |
| evil/ninja | |
Forged file ending
PHP trick to simulate the filename ending in .html
| text/html | |
| application/json | |
| text/json | |
| text/plain | |
| application/octet-stream | |
| empty | |
| evil/ninja | |
Forged file ending 2
Simple way of ending URL in .html
| text/html | |
| application/json | |
| text/json | |
| text/plain | |
| application/octet-stream | |
| empty | |
| evil/ninja | |
Forged file ending 3
Tomcat + some other java servers allow index.jsp;parameters instead of question mark...
| text/html | |
| application/json | |
| text/json | |
| text/plain | |
| application/octet-stream | |
| empty | |
| evil/ninja | |
Content-Type-Options: nosniff
Sending the content type options header to disable content sniffing
| text/html | |
| application/json | |
| text/json | |
| text/plain | |
| application/octet-stream | |
| empty | |
| evil/ninja | |