Abusing HTTP Status Codes to Expose Private Information | Mike Cardwell, Online

Abusing HTTP Status Codes to Expose Private Information | Mike Cardwell, Online.

The article above shows some creative way for a third-party website to know if you are logged on a given website. The author gives the example of GMail, Facebook and Twitter – but the same method can be applied to many web services.

The method is quite simple. Some pages require users to be logged in to access them. If you’re logged in, they’ll serve the page normally, and indicate that by a 200 OK HTTP Status Code. If you’re not logged, you might get a Status Code in the error range (400-599). Then it’s only a matter of using a simple JavaScript method (“do this if request is successful (200 ok)”, “do this instead if request generates an error “).

The article gives some actual examples that’ll work for you if you’re logged in any of the given websites.

Advertisements

About acastaner

I'm the EMEA Technical Lead for Application & Security at Spirent. I specialize in layer 4-7 technologies, Cloud, Programming and CyberSecurity.
This entry was posted in General and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s