Are you familiar with Attack on Titan? It's a story where humanity lives in cities surrounded by giant walls to fend off Titans. The walls may block intrusion paths that are already known, but what if the Titans find an unexpected way in?

Browsers heavily depend on the Content-Type in HTTP response headers to render content, just like how the cities primarily depend on walls to protect themselves. But can we truly trust Content-Type? Our investigation into object storage revealed a critical specification: these storages allow any Content-Type to be specified in response headers, creating a new attack vector for clients.

Specifying arbitrary Content-Type strings in HTTP response headers during file uploads used to be difficult. As a result, browsers and clients often trusted the Content-Type blindly, just like how humans trusted their walls blindly. However, with the rise of object storage, setting arbitrary Content-Type headers has become easy.

In this talk, we'll explore scenarios where clients' blind trust in Content-Type leads to vulnerabilities and share findings from bug bounty platforms and OSS investigations. Let's all get prepared to defend our web applications from these new threats!