Title: Confusing Burp's display with fake encoding
Date: 2018-04-20 20:00

[Burp Proxy](https://portswigger.net/burp/) is the go-to tool for *web
security* testing ([ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)
is still completely unusable for anything else than "*auto-scan, eat all my ram
and crash*", but I would be happy to be proved wrong.),
so it's always *interesting* to find some bugs in it: some are stockpiled
for CTF, the others are going into [websec.fr](https://websec.fr), like this
one, that is still unfixed.

Burp is giving priority to the html tag [`content-type`](https://www.w3.org/International/articles/http-charset/index)
over the one sent by the web server, while everyone does it the other way. This
means that when you're serving UTF-8 content with the ` <meta
http-equiv="content-type" content="text/html;charset=UTF-16">` tag in the
webpage, Burp will try to decode its content as UTF-16, yielding a lot of weird
(usually Chinese, but I don't have the required fonts to display them correctly) characters:

[![burp with utf-16]({static}/images/burp_utf16.png)]({static}/images/burp_utf16.png)

This can be fixed by forcing Burp to use UTF-8 in
**User options** -> **Display** -> **Character Sets** -> **Use a specific
character set**.

This is the correct expected result:

[![burp with utf-8]({static}/images/burp_utf8.png)]({static}/images/burp_utf8.png)