[da02]

Could this have been harder to do if the insecure server inspected the HTTP content-type and response body in the response? Something like this (psuedo-code):

  if response.content_type =~ /image-/i && !plain_text?(response.body)
    pass
  else
    fail!()
  end

[seadog007]

I could be, but I really don't know the designed solution.