

Hacking HTTP Status Codes - tewks
http://www.schneier.com/blog/archives/2011/02/hacking_http_st.html

======
rst
Technical details here:
[https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Pri...](https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information)

The trick is to identify GET requests that will succeed only if the victim is
logged into $SITE_OF_INTEREST, and bury them in an

    
    
       <img src="https://SITE_OF_INTEREST/more/stuff/here" 
            onload="is_logged_in()"
            onerror="not_logged_in()"
            ...>
    

If $SITE_OF_INTEREST doesn't have decent CSRF protection, this is an easy way
for a rogue website to not only make a request, but observe the result.

------
johns
Original lengthy discussion <http://news.ycombinator.com/item?id=2139107>

