Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / REQUESTS

Dangerous Accept Headers

Unusual Accept types may indicate API probing, deserialization attempts, or non-browser automation


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • Accept: application/json against normal HTML site
  • Accept: application/xml (possible XXE context)
  • Accept: */* repeatedly (automation default)
  • Accept: application/x-java-serialized-object
  • Accept header missing entirely
  • Rapid switching between content types

Filters

# Content negotiation abuse
http.accept matches "(?i)(application|text)/\*"

# JSON probing on non-API endpoint
http.accept contains "application/json"

# XML probing (possible XXE context)
http.accept contains "application/xml"

# Java deserialization context
http.accept contains "application/x-java-serialized-object"

# Wildcard automation header
http.accept == "*/*"

# Missing Accept header
http.request and not http.accept