[–] rst 15y ago ↗ Technical details here: https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Pri...The trick is to identify GET requests that will succeed only if the victim is logged into $SITE_OF_INTEREST, and bury them in an <img src="https://SITE_OF_INTEREST/more/stuff/here" onload="is_logged_in()" onerror="not_logged_in()" ...> If $SITE_OF_INTEREST doesn't have decent CSRF protection, this is an easy way for a rogue website to not only make a request, but observe the result.
2 comments
[ 3.2 ms ] story [ 16.2 ms ] threadThe trick is to identify GET requests that will succeed only if the victim is logged into $SITE_OF_INTEREST, and bury them in an
If $SITE_OF_INTEREST doesn't have decent CSRF protection, this is an easy way for a rogue website to not only make a request, but observe the result.